Security has never really been a first-class citizen when it comes to product development and technology implementations. In reality, the culture has always been to treat security as an afterthought or a hindrance. First, you build, then you think about security.
The good news is that security and compliance have moved up the value chain, and the previously limiting factors have all been solved in one way or another with new modernization techniques and platforms.
Geremy Reiner sat down with Rob Eguchi and Bob Abel to discuss how app modernization and security and compliance have evolved.
Security moving up the value chain
- Leadership must be involved from the very beginning to ensure security is treated as a first-class citizen throughout the process. They can’t leave security to just the security team. It needs to start with the culture of security first.
- Security should never be an impediment to innovation. You need to be able to control your data, but you don't want to impede your users' ability to do what they need to do in an efficient manner.
- A security and compliance mindset should be baked into the architecture, design, and testing of the application.
Modernizing a legacy application is a great time to boost security and compliance
- When modernizing an old application, you can break down the monolith, increase agility and performance, and ensure the legacy application adheres to your company’s security policies.
- The modernization process gives you an opportunity to reassess the security controls you had in place throughout each component of the application, such as containers, automated CI/CD pipelines, or security scanning, and decide if a newer technology can be used to boost security.
Organizations can start making security a part of their culture in just a few steps
- The most important step is to establish your security policies based on an understanding of the root need for security in your organization.
- Define the scope of your security needs as narrowly as possible and include what it is you are trying to secure.
- Start with what is most applicable to your organization, whether that is end-point security, access controls, or the cloud.
- Doing nothing is never a good idea. Doing something to at least move the ball forward in some way is important.
Security should never be subjective
- Security can be objectively measured. It should never be someone’s opinion on how it’s going. Create definitive measures of security and track progress against those metrics.
- You should look at risk mitigation across the entire platform: infrastructure, networking, app, and data. It's not just the application when we're talking about app modernization; it's the entire platform from A to Z.
Successful implementation of security looks different for each application
- A definition of done is critical. Split a large pile of work up into smaller efforts and create a definition of done for each of those efforts.
- Some key questions to ask include what scope you are trying to define and what controls you need to put in place to adhere to the business, security, or compliance policies.