Director – Secure Development Practice
Ms. Meera Rao is a Senior Principal Consultant and the Director of Secure Development Practice at Synopsys, Inc who has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, and Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analysis, secure design reviews and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code (Java, JEE, .Net, Rails, Grails, and C/C++).
Ms. Meera has been working as a trusted adviser to Fortune 500 companies helping them achieve realistic goals for Practical CI/CD & DevSecOps. She advises organizations in defining, implementing, maturing, scaling and measuring DevSecOps. Meera was awarded the SecDevOps Trailblazer award from SecuritySerious in London.
Ms. Meera is very passionate about getting more women working in the technology industry. Ms. Meera participates, presents and speaks at several conferences, spreading her knowledge of security and the importance of women in the technology workforce.
Do I shift left, shift right, or run security right through the middle?
With software security blunders making headlines and businesses under increasing pressure to deliver software faster, development and security teams have been tasked to devise a strategy to satisfy demands for more secure software and more rapid application development. These combining forces have led to the emergence of DevSecOps, which represents a shift in IT culture to accommodate the growing need for both security and speed. However, security teams want to shift left, development teams want to shift right, and Ops team want testing throughout all phases of the development cycle—in other words, continuous testing. This leaves us with a lot of options and little guidance. What’s the best approach?
Whether you decide to shift your security practices or maintain your current strategy, no single testing method finds all the vulnerabilities firms should be working to prevent.
For instance, static analysis (taking place at the far left of the SDLC) cannot take business logic into account. Security analysts conducting manual secure code reviews can trace business logic, but they cannot hope to trace all tainted user data in a complex application. Penetration testing (taking place at the far right of the SDLC) cannot find architecture issues. The list goes on and on. Identifying critical vulnerabilities in any modern application requires a comprehensive security strategy.
The best way to craft a comprehensive strategy? Shift your reactive security approach to one that is proactive. Rather than working to find bugs that are already in the codebase, address the root cause. Build expertise and provide the information needed to prevent bugs from entering the codebase in the first place. And instead of waiting to fix security vulnerabilities until after they wreak havoc on your applications, treat them like any other bug within your DevOps process.
Cost-effectively increasing maturity in DevSecOps requires a knowledgeable, risk-based approach to adding security activities, increasing depth when required, and improving governance over the testing process. Preventing vulnerabilities from appearing in production will significantly reduce your overall costs while improving your overall security posture.