James Ransome - Building in Security at Agile Speed

JAMES RANSOME
BROOK S. E. SCHOENFIELD

This book is dedicated to my parents, who taught me how to think outside the box, and to my teachers at Almond Avenue School, who taught me to both focus and multi-task at the same time, all at a very young age. This has served me well in this journey we call life.

James Ransome

A succeeding generation (to me) of software security specialists are well into their careers, people like (to name just a sample) Luis Servin, Damilare Fagbemi, Sandeep Kumar Singh, Subir Biswas, Francois Proulx, Zoe Braiterman, Jonathan Marcil, Kim Wuyts, and including, Im proud to say, my daughter, Allison Schoenfield. You must carry this work forward, critique it, refine it, recreate it. It is to you, and to those that follow whom you will teach, coach, and mentor, that I dedicate this work. Use what works; throw out what doesnt; reinvent as needed. However you shape and execute your version of software security, you must continue; our digital world is counting on you.

Brook S. E. Schoenfield

Software is changing the trajectory at which the world operates. From driverless cars to cryptocurrency, software reimagines possibilities. With software standing at the core of everything we do, we find ourselves pushing out code faster than ever. Current estimates show that there are over 111 billion lines of new code written per year. And our fixation on rapidly developing the latest technology has positioned security to be in the way, coming at a cost.

Its time to redefine the way we view security and see security as a value, not a cost. When we trust software, new economies are created. For example, todays e-commerce market is possible because of cryptographic protocols and software implementations for Transport Layer Security (TLS) to secure our browsers connections. As a result, todays online economy is the size of Spains gross domestic product (GDP). Security is an enabler for innovation. You cannot have innovation without security.

Today, however, were finding ourselves paying the price for neglecting this foundational element for innovation in favor of speed. Headline-worthy breaches and hacking demonstrations remind us of the debt weve accrued and must pay off. Although some may perceive this as a setback, I see the paradigm shift from software development to secure software development pivotal to the new wave of innovation yet to come. I believe that the implementation of DevSecOps as a formal process within organizations will make a mark on history, multiplying not only the scale but also the speed at which we will be able to push out ingenious solutions.

What do organizations who excel at creating trustworthy software do differently? Consider Google Chrome. Chrome is open source, meaning everyone has complete access to comb through the code to find new vulnerabilities. Chrome is a highly valued target. A single vulnerability could affect millions of users.

Googles Chrome development team has set up security as a process, not an end product. There are four fundamental steps:

Design your code with security in mind.

Find a bug or vulnerability in your code.

Fix the vulnerability, testing to make sure the patch is fit for purpose.

Field the fix into operations.

Google builds security into Chrome with their sandbox design. Chrome sandboxes limit the ability for any one component, for example, the movie player, to compromise the rest of Chrome. A secure SDLC goes beyond design and includes security testing. Chrome leverages tens of thousands of CPU cores to continuously probe for new vulnerabilities using fuzzing. If a vulnerability is found, they can field a fix to over 90% of the world within 30 days. All automatically, without a user having to click upgrade.

In Building In Security at Agile Speed, Dr. James Ransome and Brook S. E. Schoenfield have distilled down the best security lifecycle practices into one comprehensive book. They show both the how, as well as the why. The two juggernauts combine their industry experience to demystify continuous integration and continuous delivery (Cl/CD), DevSecOps, and continuous security so that it no longer remains an art that only the elite few know how to implement. The pair share my vision to democratize this knowledge and give back to the software security community that has given so much to us.

The new possibilities of technology hinge on our ability to execute the principles outlined in Building In Security at Agile Speed. With the knowledge we need to set forth, the future of technology is within reach, but it remains up to youall of usto courageously grasp for it.

I look to the future with confidence as we collaborate together to secure the worlds software.