“IT security tests must be implemented as early as possible in software development,” says Sebastian Schäffer, Head of Sales Marketing at Alice&Bob.Company. In this interview, we talk to him about security tests, automation of IT security and the Shift Left in the development process.
Mr Schäffer, why should companies include IT security tests in software development right from the start?
Schäffer: Today, software is being developed in an increasingly agile manner – release cycles of applications are becoming shorter and shorter, so that it is no longer possible to manually check all security-relevant items before each release. In practice, IT security managers are almost overrun with new releases. That is why it is enormously important to implement automated tests as early as possible in the development process and not later in IT operations. This “Shift Left” is intended to enable developers to detect errors at an early stage and to obtain clear statements about the security level already when writing the code. If IT security vulnerabilities are only detected later in the operation of the software, then only the release is delayed. This creates a ping-pong game between IT operations and development, which can significantly delay the release.
As a speaker in the webinar “Secure software from the start” by the eco IT Security Competence Group, you described the ratio of employees in software development, IT operations and IT security in many companies as 100 : 10 : 1. Why should this relationship change?
Schäffer: There is an imbalance in IT departments in many companies. Many companies have put the focus on developing digital products and services because it is naturally important to them to quickly implement functional and innovative aspects of software. In doing this, the primary focus was not always on IT security. The result: On the one hand, there are far too few IT security specialists in companies and, on the other hand, there is too little automation of security. I think we have to approach the problem from both sides – through higher automation and through training the employees and establishing a security culture in the company.
How can the automation of IT security help us in the future?
Schäffer: There are many different ways to integrate security into the development process and to automate it. This can happen throughout continuous integration, delivery and deployment (CI/CD pipeline), for example, through the principle of “compliance as code”. By using an automatic test during development, employees are directly shown whether their code meets the predefined compliance requirements. Another example is the implementation of continuous penetration testing before each release. Many vulnerabilities are thus detected directly during development. Automation will enable companies to continue to compete in the international market while providing secure digital products.
How can companies ensure IT security in the cloud?
Schäffer: The cloud promises more speed, agility and flexibility. To fully exploit this potential and at the same time increase the level of IT security, it is essential to automate security, especially in the processing of personal data. Even more important than the automation of IT security, however, is a culture of security awareness in the company. The IT security department must no longer be seen as the “department of no”, as a hindrance to innovation. With the Security Champions Programme from Alice&Bob.Company, we train software developers from the product teams to become Security Champions, thus creating a mutual understanding and relieving the IT security department.
Thank you very much for the interview, Mr Schäffer!