The Security Sweetspot

For many organisations, web applications are where the core business takes place. For the same reason, it is also often where innovation takes place and new features and improvements are regularly implemented. A logical development, but at the same time it creates a change in the threat assessment. Whereas the majority of updates used to take place mainly behind closed doors at a slower pace, there are now many more touchpoints with the outside world. These are also constantly evolving in release cycles that take place in rapid succession.

Moreover, the amount of different technologies at our disposal is growing and applications from different parties are being integrated into ever-expanding digital ecosystems. It is increasingly easy to use ready-made building blocks (libraries) from anywhere and everywhere for product development.

When looking at security, finding the right balance between quality, speed, scalability and cost is crucial. After all, security should not be a ‘disabler’ of rapid innovation. This is also known as the ‘security sweetspot’: this is where organisations enjoy optimal protection against cyber threats, while at the same time being able to operate efficiently and save costs. This is easier said than done, because how do you get to that place when there is the jumble of desires, factors and stakeholders to consider?

Three benchmarks of security

Three points are crucial to the security sweetspot:

Quality: take the quality of your security systems to the highest level. Invest in new, proven technologies, conduct regular security audits and adopt a proactive security strategy, so that you are protected against the latest security threats.
Speed: ensure a fast and efficient security infrastructure, so that you are able to respond quickly to new threats and patch security vulnerabilities immediately before they are exploited.
Scalability: continuously monitor and evaluate incidents, problems and solutions, and ensure a scalable incident response plan. This makes your security strategy flexible and able to grow with the changing needs of your organisation

“Security should not be a ‘disabler’ of rapid innovation.”

Reach the security sweetspot with agile security

Keeping these benchmarks in mind is the first step. Finding the right balance between organisational needs, development flexibility and effective security is another. That is possible with agile security. Whereas in the security sweetspot you balance security measures with business requirements, with agile security you ensure effective integration of security within the agile development process.

The classic periodic pen test, like the Waterfall development methodology, was the norm for years. But when you develop agile, with multiple releases per month/week/day, the traditional approach for security doesn’t fit. After all, a continuous stream of great new features is cool, but brings with it a different risk landscape. The periodic security ‘photo’ is then no longer enough; a continuous stream of ‘footage’ matches better. With a faster test and feedback loop , your product will gain a secure foundation, avoid surprises afterwards and you will have a compelling story for your stakeholders straight away. Security problems are continuously nipped in the bud early and measures can be deployed as efficiently as possible.

In doing so, keep the following guidelines in mind:

Work risk-based: focus only on the things that are really necessary or useful. If you don’t address security in a practical and non-blocking way, it’s not going to fly.
Apply shift-left security with which you embed security measures at an early stage of software development, avoiding unnecessary time-wasting, resources and money.
Build in direct and targeted security feedback loops (diff-reviews) in the slipstream of development, allowing you to keep a close eye on the ball. In doing so, ensure a mix of manual and automated checks.
Provide easy, approachable access to technical secure coding expertise.
Always make security visible, demonstrable and measurable! One central place (dashboard) where all stakeholders can see up-to-date information on security status, (business) risks and security progress is essential to focus resources and activities. The demonstrability must be continuously in order to serve internal and external stakeholders smoothly at all times.

Finally, this final, most important lesson: it is impossible to always find everything at once. Applying focus and breaking up large tests into small targeted checks, security snacks, has proven to work tremendously well. Always validate with efficient and early code reviews with full focus on security-relevant changes. Investment in good technology is indispensable here. Are there any errors or areas of concern? Then you kick it straight to the backlog, so that product owners and the team can work on it.

The synergy between the security sweetspot and agile security

The security sweetspot and agile security are linked like a two-stage rocket in their shared goal of achieving effective security practices while balancing business needs and development agility. They offer additional perspectives that you can use to optimise your organisation’s cybersecurity.

With agile security, you gradually set up useful automated security checks and the resilience of the product is increasingly strengthened. This reduces the security ‘hotspots’ (risks) and thus also the (manual) validation effort. In this way, you create a snowball effect. Test less, secure more!

Want to know more about what agile security can do for your organisation? If so, please contact us or our colleague Leo Lans from Securify. Read more about agile security here.