How do you transform security and privacy compliance requirements into practical steps that can be executed by a team? It is not easy, especially in an Agile environment that wants to move quickly—to say there exists a gap between complying with policies, and actually executing tasks to that end is just the tip of the iceberg. The rest of the iceberg looks like this:
- Policies, regulations and standards are designed to be high-level and abstract. There are no simple steps to follow to meet them.
- Policy-to-execution (P2E) platforms are limited to technical steps for only the software development life cycle (SDLC).
- Regulatory bodies continue to publish new standards beyond the SDLC.
- Organizations may perceive security as a disruptor.
For instance, section 4.2 of the PCI-SSLC requires that "[n]ewly discovered vulnerabilities are fixed in a timely manner. The reintroduction of similar or previously resolved vulnerabilities is prevented."
This directive is tantamount to “perform security testing using techniques such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST),” but there is no indication about how to go about that. Even the most security-conscious developer would not know where to begin. The framework we propose in our Journal article tackles the gap we see here between the need to comply with a regulation and the lack of actionable tasks to do so.
Effectively translating this policy into actionable tasks requires research. We started with literature reviews of existing workflows and controls for security testing. We sought the following:
- The identification of gaps
- The analysis of gaps
- The definition of actionable steps
Next, we interviewed subject matter experts (SMEs). These are the kinds of questions we wanted answered:
- What are the existing methods in use for performing these tasks?
- How often should a task be performed?
- What are the relevant roles and responsibilities in your team?
We used these answers and criteria to create a list to:
- Determine processes to perform a task beyond simply the SDLC from beginning to end.
- Determine an owner for each task.
- Automate by integrating with DevOps tools.
Developing securely by design is the way forward, and as technology evolves, new controls and standards arise to meet the need to develop secure and compliant applications. Meeting those controls, however, is not straightforward without a consistent method to convert policy to procedure without colliding into an iceberg.
Read Mina Miri, Amir Pourafshar, Pooya Mehregan, Nathanael Mohammed's recent Journal article:
"Bridging the Gap between Policies and Execution in an Agile Environment," ISACA Journal, volume 4, 2019.