Terminology: AppSec, DevSecOps, CloudSec, ProdSec … What’s the Diff?

Clarification of commonly used software development security terms

Computer Technology is a broad field that easily gets confused through the use of acronyms and new product market positioning terms. Inconsistent understanding and use of these terms amongst practitioners and organizations can cause confusion and inefficiencies when communicating scope and objectives of collaborative efforts.
The following is a quick reference to help clarify the most commonly used and confused terminology regarding software development security.

Terms

  • Computer Security / Cybersecurity / Digital Security / Information Technology Security (IT Security)
    The protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
    As such, these are the broadest all-encompassing terms having to do with an organization's complete security practice of all hardware, software, and services.

  • Information Security (InfoSec)
    Preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information; and involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible (e.g., paperwork), or intangible (e.g., knowledge). Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability (also known as the "CIA" triad).
    The ISC2 CISSP professional certification covers these practices through 8 Common Body of Knowledge (CBK) domains.

  • Secure Software Development Life Cycle (SSDLC)
    A framework for embedding security protection best practices into all phases of the Software Development Life Cycle (SDLC). Defines security requirements (Security by Design) and tasks that must be considered and addressed within every system, project or application that is created or updated to address a business need.
    The ISC2 CSSLP professional certification covers these practices through 8 Common Body of Knowledge (CBK) domains.
  • Secure Software Development Framework (SSDF)
    NIST 800-812 is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.\
All tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.
This includes protecting digital data (Data Security) used and produced by applications, such as those in a database, with Identity and Access Management (IAM/IdM) controls and encryption.
  • DevOps Security (DevSecOps)
    The design and implementation of security requirements and processes in Software Development Operations (DevOps). This includes the system components tooling and automation of the build and deploy Continuous Integration/Continuous Deployment (CI/CD) pipelines.
  • Platform/Infrastructure Security (PlatformSec)
    The design and implementation of security requirements and administrative management of software solution application hosting servers and component connection networking connections for the 7 OCI Model Layers.
    Platforms can either be unique for a software product family solution, or can be standardized as Cloud Computing services.
  • Cloud Security (CloudSec)
    The design and implementation of security requirements and administrative management of software solution application hosting Cloud Computing services.
    Application Platform as a Service (aPaas) is a category of Cloud Computing services that allows customers to provision, instantiate, run, and manage a modular bundle comprising a computing platform and one or more applications, without the complexity of building and maintaining the infrastructure typically associated with developing and launching the application(s).
    These services can either be remotely hosted by a 3rd party suppliers (Public Cloud),
    or hosted and managed within an organization's owned and managed network (Private Cloud),
    or used as a combination of Public and Private Cloud platforms (Hybrid Cloud).
  • Product Security (ProdSec = AppSec + DevSecOps + PlatformSec)
    Product-Family Engineering is a method that creates an underlying architecture of an organization's product platform; an architecture that is based on commonality as well as planned variabilities. The various product variants can be derived from the basic product family, which creates the opportunity to reuse and differentiate on products in the family - similar to vehicle platforms in the automotive industry. Product-family engineering is all about reusing components and structures as much as possible while incorporating AppSec, DevSecOps, and PlatformSec security requirements and processes.



Comments

Post a Comment

Popular posts from this blog

Management Sea Change: AI Autonomous Programmers Are Here Now

Image
This past week a seismic shift has taken place in computer science: Cognition AI introduced Devin, the world’s first fully autonomous AI software engineer. From a single prompt, Devin is able to plan, research APIs, design, code, test, remediate, and deploy software solutions independently.  It is able to actively collaborate with users during software development by providing real-time progress updates, accepting feedback, and working together to make design choices. Products that would take human developers many hours to deliver, can be done in mere minutes. [ Video , Forbes , AI Business , Infoworld ] For organizations, the speed and efficiency improvements of employing software engineering AI agents will be critical for maintaining international market competitiveness and accelerating new strategic digital opportunities. And to do so, organizations will need product software engineering managers who are able to effectively leverage and manage new software engineering AI agents....
Read more

New Year Resolution: Software Development Application Security Strategic Prioritization, SSDF Top 10

Implementing security and regulatory compliance SSDF practices into an efficient Software Development Life Cycle (SSDL) can be quite daunting due to the scope of practices and tooling required. Just as "Rome wasn't built in a day," security implementation and improvement plans need to be prioritized based on highest business risk, and most cost-effective "bang for the buck" improvement investments.  While it might be tempting to try addressing all of the below at once, or even cherry pick through the list, they each have success dependencies on each other that are need to acheive effective execution: Document, Assess, Improve, Adjust, Repeat. 1. "Be Prepared" for today's advanced ransomware attack threats "Being prepared" is about everyone knowing who is responsible for security risk and incident responses, identifying the actions required by each responsible stakeholder, setting realistic and appropriate response timelines needed to sup...
Read more