‘We believe Secure SDLC should be mandatory in everything we do’
For us, security is a non-negotiable and continuous part of our work in fintech. We deal with sensitive information on a daily basis for institutional clients while developing new applications. To ensure that security is added to every phase in the software development life cycle (SDLC), our Security Team has worked hard on implementing Secure SDLC (SSDLC) since 2018. But what is it, why do we work with it, and how does it benefit our clients?
In short, SSDLC is a way of adding security by design to your software development life cycle. Instead of splitting the knowledge of our Security Team with all of our colleagues - which is incredibly hard - we’ve gathered and tested tooling that helps us to integrate that knowledge. Our developers, for instance, are set with tools like SonarQube that help them detect small flaws or vulnerabilities in coding early on. It also explains what went wrong and suggests solutions. This way, our developers can safely develop applications all the while learning from flagged flaws and vulnerabilities.
Benefits of SSDLC
Many organizations conduct security tests after the development phase has been completed. By doing so, they’ll find vulnerabilities and flaws late in the process, making it hard to figure out the source of the problem and often building on top of it. This means a security team has to comb through the whole application, subsequently causing delays in the launch because of its costly and time-consuming nature. By finding flaws and vulnerabilities early on, you’ll prevent them from forming bigger issues reducing cost and time. Also, it means the application has been checked before going into production. In other words, risks are managed and resolved before they can even become an issue.
A recent example of how SSDLC has proven its worth is with the problems that organizations are still facing with the Log4j vulnerabilities that were discovered in December 2021. Because we had proper tooling and processes set in place, the vulnerability was flagged for review right away. This allowed us to quickly determine that we were not impacted directly ourselves. Having this kind of oversight makes the otherwise tedious process of checking all of our clients’ applications a lot faster and easier. This way, if there even was a problem, to begin with, we’d have a much faster response time.
To summarize, these are the main benefits of SSDLC:
- helps detect and resolve flaws early in the development process
- it reduces business risks, time, and costs
- it offers oversight
Organizations don’t always treat security as the ongoing process it actually is. That makes them vulnerable to breaches and leaks. By implementing SSDLC you can be assured security does not get overlooked and is a continuous focus. Keeping updated on security is equally as important. That is why our Security Team invests time in reading and scouring through forums, testing tooling for and with our developers, visiting congresses, and keeping their eyes and ears open for recommendations.
Are you curious to learn more about SSDLC? Or do you want to more about implementing security? Our Security Team is happy to tell you more about it. You can contact them via firstname.lastname@example.org