April 6, 2023

Last Updated on January 14, 2024

If you failed to code your web application to comply with (newly) requested or required cybersecurity standards like NIST 800-218, NIST 800-171/CMMC, ISO 27001, HIPAA, GDPR, HITRUST, etc., you could find yourself painfully retrofitting controls where they’re not designed to go. This is a big reason why it’s so critical to shift DevSecOps left into the earliest phases of the software development lifecycle (SDLC).

For example, a number of IoT ecosystem vendors that did not account for California’s SB 327 legislation now have installed bases of tens of thousands of devices that are out of compliance with no practical way to update them. This potentially puts the vendor or its customers at risk for sanctions from the California Attorney General.

Prove you’re secure

André Keartland, Solutions Architect at Netsurit, explains: “A lot of the time, the security standards or goals that you’re trying to meet are not necessarily those of your organization. Especially if you’re writing software for other people, you have to be ready [for compliance requirements].”

 

You may also need to be ready to produce a software bill of materials (SBOM) to account for your third-party libraries. Or deliver a guarantee/attestation based on credible application security testing that your solution won’t introduce unacceptable security risks into a customer’s environment. Or demonstrate to a cyber liability insurance carrier that your software development environment and process is secure.

André adds: “A lot of our customers are big banks, and they’ve become very, very, very gun-shy because they’ve realized a lot of the time when they lose data it’s not their systems. It’s software that was being run for them by some vendor or service provider. Those people didn’t have the same security standards [as the bank] and they got compromised.”

DevSecOps is your future, like it or not

Especially for SaaS vendors, it’s important to pay attention in the architecture and design phases to current or near-term market demands like compliance with ISO 27001 or CSA STAR.

 

Think also about getting out in front of compliance challenges with best-practice guidance like the OWASP Software Assurance Maturity Model (SAMM) and/or an OWASP Application Security Verification Standard (ASVS) Level 2 assessment.

If you’re producing a SaaS application that other orgs will use, if you do business in a US government supply chain, or you’re in a regulated industry, compliance with application security assessment frameworks is what your future looks like—if not your present.

If you’re a CISO or other security decision-maker you might be thinking, “This DevSecOps stuff sounds interesting. But it also sounds like it’s expensive and hard work, so I’m going to pass.” At some point soon you may no longer have that option.

 

What’s next?

For more guidance on this topic, listen to Episode 114 of The Virtual CISO Podcast with guest André Keartland from Netsurit.