Government Technology Insider
  • About
  • State & Local
  • Civilian
  • Defense & IC
SUBSCRIBE
No Result
View All Result
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Innovation and Technology to Advance Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
Government Technology Insider
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Innovation and Technology to Advance Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
No Result
View All Result
Government Technology Insider
No Result
View All Result
Home Civilian

Secure by Design: Best Practices in Software Development

by Brandon Shopp
September 21, 2022
in Civilian, Cybersecurity
Reading Time: 4 mins read
A A
Secure by Design
Share on FacebookShare on Twitter

Cybersecurity threats have become more sophisticated today as attackers continue targeting the infrastructures we rely on most. In fact, over the past 18 months, the European Union identified 24 targeted attacks on supply chains alone. By adding a stronger focus on securing internal environments and enhancing the product development environment, our Secure by Design guidelines are intended to maximize the integrity of the products we deliver. To make the most of the Secure by Design approach, here are some best practices we’ve learned and expanded along the way:

  1. Implement ephemeral operations. Ephemeral means “temporary,” something all IT pros should utilize during product development. Ephemeral operations are temporary environments unavailable for attackers to compromise. To create an ephemeral environment, IT pros rebuild it each time changes are made during the development process. Almost like a “separation of duties,” resources are produced on demand and tasks dismantled as soon as they’re completed, making it more difficult for threat actors to establish a home base on mission-critical systems.
  2. Produce deterministic artifacts. Until recently, nondeterministic data has been used during the development process, meaning the data may behave differently, although the same inputs have been used. This can be problematic, as nondeterministic data cannot clearly show if there has been any tampering during the software development process. In response, IT pros should utilize a deterministic build, so the process produces the same results from identical inputs even when run by different organizations. This further reduces the risk of any error.
  3. Build in parallel. By building in parallel, IT pros can simultaneously produce multiple, highly secure duplicates of new systems and establish a basis for integrity checks. These systems are called consensus-attested builds and utilize three logical environments, each with user access controls:
    • Standard pipeline: This is the typical day-to-day build system with which developers and security operations personnel interact. IT pros record each build step taken in each pipeline run, cryptographically sign it, and store it in an immutable ledger database.
    • Validation pipeline: Almost no one has access to this highly secure environment, and data doesn’t move beyond the network. All build jobs are handled in the validation environment, and there’s no way to interact with the system other than through highly secured and audited channels available only to DevOps personnel. The purpose of this environment is to replicate the same build process and attested build steps precisely as they’re produced in the standard setting.
    • Security pipeline: The security pipeline is a collection of security checks performed at two levels throughout the software development process.
  4. Record every build step. By creating an immutable record of proof and providing complete traceability attestations, IT pros can produce cryptographically signed statements of fact in every build step. For any given build, the standard, validation, and security environments make receipts of the activities taken and mark them with a key. These attestations from all three pipelines are stored in an immutable database to be analyzed and validated later in the release process.

As the supply chain continues to be a prime target for hackers, it will continue to drive industry-wide initiatives to find viable solutions. We’ll have to become more innovative—and robust—through the learnings from the attacks we face. Advancements in technology have made it possible for organizations worldwide, no matter how large or small, to work together in developing software without fear of a cyber threat.

Brandon Shopp is Group Vice President, Product at SolarWinds. 

Tags: cybercybersecurityNext Gen ITSecure by Designsolarwindssupply chain

RELATED POSTS

healthcare modernization represented by a doctor standing with his arms crossed made out of digital code
Civilian

Healthcare Modernization Is a Marathon, Not a Sprint for U.S. Department of Health and Human Services

January 26, 2023
Identifying the Building Blocks for a Successful Zero Trust Journey
Civilian

Identifying the Building Blocks for a Successful Zero Trust Journey

January 24, 2023
AIOps
AI & Data

How AIOps and Observability Can Improve Network Resiliency During Natural Disasters

January 18, 2023

TRENDING NOW

  • Advana

    Meet Advana: How the Department of Defense Solved its Data Interoperability Challenges

    8514 shares
    Share 3406 Tweet 2129
  • CISA Issues Updated Guidance to Protect Federal Agencies Against Expected Onslaught of DDoS Attacks

    34 shares
    Share 14 Tweet 9
  • Network Slicing Enables Agencies to Create Private, Secure, and Customized Networks: A Podcast

    125 shares
    Share 50 Tweet 31
  • Identifying the Building Blocks for a Successful Zero Trust Journey

    43 shares
    Share 17 Tweet 11

CONNECT WITH US

Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
MaaS Nebula Software Factory Banner Ad MaaS Nebula Software Factory Banner Ad MaaS Nebula Software Factory Banner Ad
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
Advertisment Banner Ad Advertisment Banner Ad Advertisment Banner Ad
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad

BECOME AN INSIDER

Get Government Technology Insider news and updates in your inbox.

Strategic Communications Group is a digital media company that helps business-to-business marketers drive customer demand through content marketing, content syndication, and lead identification.

Related Communities

Financial Technology Today
Future Healthcare Today
Modern Marketing Today
Retail Technology Insider
Today’s Modern Educator

Quick Links

  • Home
  • About
  • Contact Us

Become a Sponsor

Strategic Communications Group offers analytics, content marketing, and lead identification services. Interested?
Contact us!

© 2023 Strategic Communications Group, Inc.
Privacy Policy      |      Terms of Service

No Result
View All Result
  • Home
  • About Government Technology Insider
  • State & Local
  • Civilian
  • Defense & IC
  • Categories
    • Acquisition
    • AI & Data
    • Customer Experience
    • Cybersecurity
    • Digital Transformation
    • Hybrid Work
    • Public Safety
  • Contact Us