As important as software development is for any organization, for a long time, these capabilities have focused on speed: speed of delivery, speed of response, speed of testing and so on. The myopic emphasis on speed has, in part, blinded us to the fact that we also need to be safe, secure and legally compliant. Thankfully, the pendulum is swinging back toward a moderate position where both speed and safety are important. Recent technical frameworks and standards are pointing us in this direction, and there are at least three broad stakeholder groups catalyzing this:
1. Business communities (both commercial and government).
2. Open-source communities (including Linux Foundation and OpenSSF).
4. Standards and industry communities (including ISO, IEEE, The Open Group and the government).
As stated earlier, these three stakeholder groups have already embarked on a mission to create a balance between speed and safety in software development. The end game is a convergence of the various programs into a unified framework. If we’re to make sense of this shift, it’s important to understand the balanced development trajectory from the viewpoint of each of these stakeholder groups.
Business Communities
There are many pressures acting on the business community today. The push to accelerate digital transformation is disrupting numerous legacy thought patterns and operating models. This, coupled with the legitimate pressure to generate revenue while maintaining reasonable costs, has never been more important. A complex web of supply chain partners (primary, secondary and tertiary) need to align in a way that doesn’t introduce excessive risk beyond an acceptable threshold. That feeds into risk management and the introduction of cybersecurity risk variables that are still elusive in many respects. Finally, there are security and privacy concerns vis-à-vis legal requirements that impact the board.
Balancing this interplay of forces is not easy. It is complex in the sense that when an action is taken, the landscape shifts. Furthermore, any single decision impacts other areas of the organization. As with managing any complex landscape, an infusion of diverse ideas from multiple stakeholders early and regularly reduces the risk. Decisions are reassessed once meaningful feedback is available.
Open-Source Communities
Several open-source communities are spearheading initiatives, which indicates that balanced development is being taken seriously. The Linux Foundation has a software badge program that provides coarse-grained guidance on the security posture of projects. Other projects like in-toto, TUF and Uptane aim to provide repeatable security practices at scale. OpenSSF is also helping to bridge the technical and business communities, as shown by its “technical vision.” Additional efforts of the Department of Defense around software factories and DevSecOps also aim to speed up key internal processes without compromising on security.
Standards And Industry Communities
Standards and industry working groups are rapidly establishing a common set of standards that represent a balanced development viewpoint between speed and security. DevOps standards are emerging with the new IEEE P2675, which calls for cross-functional stakeholders to address both speed and security. Currently, ISO is laying the groundwork for a similar standard for DevOps.
There are still more frameworks focused on supply chain security, such as NIST SP800-161 and CMMC. We have privacy standards, guidance and frameworks like ISO 27701, GDPR developer’s guide from CNIL and LINDUNN to help bridge the gap between security, privacy and software development. The Open Group is actively working on an operating model that delivers both speed and security against business value with its IT4IT initiative. The effort around the zero trust security model, in particular, is rapidly evolving with NIST SP800-207, IEEE P2887 and The Open Group’s zero trust initiative. All of these efforts point toward improving the balance between speed and security.
Where Are We Headed?
If we look at the work being done by various stakeholder groups, the astute observer will inevitably ask, “Where are we headed?” I believe there is a convergence of the broad perspectives of the three stakeholder groups.
First, the perspective of business value must be weighed. This implies enterprise architecture principles that clearly tie business goals and motivations with the development of organizational capabilities. These capabilities, in turn, support the creation of value streams that encompass the flow of information across different systems. The alignment between business and technical domains continues to remain relevant in the discussion of balanced development.
Second, we must consider capability alignment. Here, we observe several cross-functional capabilities required to enable balanced development. These are knowledge management, risk management, audit and compliance, requirements management, modeling capabilities, asset management and vulnerability management. Each of these, of course, needs to be uniquely tailored insofar as they help achieve the intended business objectives.
Lastly, consideration must be given to the management of a diverse group of stakeholders. No longer are we constraining ourselves to a group of technical stakeholders but, rather, experiencing a shift toward the democratization of software development security to achieve a more balanced approach in a complex landscape.
A Balanced Approach
We are witnessing an incremental evolution of our software development practices. The seeds of balanced development have been planted and some organizations have embraced this quickly, while others struggle. If we persistently keep at it, refining our software development and security capabilities, we will emerge with a more pragmatic way of managing the delivery of our software — a balanced approach that incorporates both speed and safety.