When programming called Continuous Delivery that work mode in which code developers release updates and changes in the software several times a day.
This mode Sustained Release according to experts should assume the use of a gateway for the data security, indeed the open data .
Coming out continuously by the company that develops the software, in fact, the governance must assume special security measures.
Alternatively, some experts suggest to set a management Continuous Delivery which provides a system of data transmission different and dedicated. How they should behave, therefore, companies and software companies in particular?
Continuous Delivery: why put in security governance
In a model in continuous release of code the time needed to fix the bugs, vulnerabilities, or improve services application software are usually very short. In fact a new code that can contain even one small change compared to the program installed, is released as soon as it is ready, without waiting for other changes that developers can go to create a wheel.
The main problem, from the point of view of safety, derives from the fact that many implementations in continous delivery focus solely on tests and on the release of new features and functionality. This update mode super fast software but very often results in a lack of attention to the safety of the new code. The feedback required for users on the new features in the latest release issued, in fact, is heavily biased toward the usability and functionality of the software, rather than its safety. Despite this, there is no reason why in a continuous release of the model code should be abandoned for security issues: the premise is that all policies of data protection and security are integrated into the overall process of releasing this code .
Continuous Delivery: how to secure governance
The basic idea of a model of continuous release of the code provides for the creation of robotic devices that perform integrity tests to eliminate any defects that may occur in the course of programming. This function ensures the continuous development of software, but only if the development team works closely with the deputy security. The continuous delivery of the code , made security processes-acceptance, improves security and the software’s ability to cope in a positive manner to events that threaten its security, as are integrated controls security continues at the crucial stages of the development and deployment process. The development of a traditional software, normally, provides for a large number of code changes that are released all at once. This makes it more difficult to revision if a test fails, in fact, is not always easy to determine which particular code change caused the problem. The evaluation of the code in continous delivery makes it easier to identify the problems, and is thus available always the last code free (almost always) bug or vulnerability.
It is also very important to establish secure coding rules that prohibit the use of code and functions dangerous coming from libraries and third-party components not approved by the security team, while all errors and exceptions that should occur should be carefully evaluated and resolved as well as the rest of the critical functions that normally arise during a code update .
The importance of safety tests in the continuous delivery
Once the new code is developed, it must be submitted as quickly as possible to automated security audits to ensure they are not accidentally been introduced known vulnerabilities.
Such tests are particularly suitable to be automated, but it is also important to add additional test based on scenarios identified and cases of abuse of data in order to identify unusual behavior . Again the tests can be automated using automation tools available in browsers that meet the needs of acceptance-test .
This sequence of tests is essentially the same test that is performed for the automated acceptance. Besides checking whether the safety features – such as log in and log out – work as expected, even though analyzes abnormal behavior may lead to an unexpected result. The key is to create test application that also include the possibility of being attacked, in order to make developers more aware of the types of threats they face.
It is definitely important to focus and speed up resolution of the problems found during testing of security, but the security team should have the ability to block the release if the test results indicate the presence of an unacceptable risk.
No comments:
Post a Comment