Designing software from the ground up to be secure, as recommended by the Secure by Design initiative from the Cybersecurity and Infrastructure Security Agency (CISA), has its challenges, especially if it’s done at scale. .

One way to meet those challenges — and to be able to take the CISA’s Secure by Design pledge introduced at RSA Conference 2024 — is through platform engineering, wherein security is embedded into the platform that developers use to produce their applications. With platform engineering, security tools aren’t just accessible to coders; they become an integral part of the daily workflows of development teams.

Platform engineering benefits include:

• Codifying security policies, automating security checks, and integrating tools into the software development lifecycle through scripts, templates, and pipelines
• Facilitating secure default configurations for systems, resources, and environments
• Assisting in the implementation of precise, role-based access controls and ensuring that all users, resources, and networks operate with the least necessary privileges
• Unifying diverse security tools into a single platform that can bridge team silos, enhance collaboration, and provide a consistent security experience for developers

Here’s everything you need to know about platform engineering — and how it can help your organization overcome the challenges of adopting Secure by Design. 

[ See webinar: Secure by Design: Why Trust Matters for Software Risk Management ]

Benefits and challenges with platform engineering

Chris Romeo, CEO of the threat modeling firm Devici, said platform engineering helps to address one key problem with Secure by Design: scaling the practice. “Secure by Design principles are challenging to implement at scale because they require that the security team build a collection of shared security services that can be incorporated into all applications,” Romeo said.

Those security services include multifactor authentication, session management, attribute-based access control (ABAC), and input validation/output encoding, as well as the use of OpenID Connect (OICD), single sign-on (SSO), and the Security Assertion Markup Language (SAML).

“These are complex to implement but are even more complex to create in such a way that they are easy for developers to use. Shared security services aim to simplify the implementation and make it less time-consuming than a developer building something from scratch. This is the essence of the ‘paved roads’ that everyone talks about — roads that are easier for developers to drive on than if they have to build their own roads.”
—Chris Romeo

Staffing can also make Secure by Design difficult to scale, said Jeff Williams, CTO and co-founder of Contrast Security.

“It requires a lot of security expertise, and most companies have severely limited application security resources.”
—Jeff Williams 

A less-than-solid implementation of Secure by Design can also interfere with scaling, said Guy Rosenthal, vice president for product at the security firm DoControl.

“Executing Secure by Design can slow down development if not done right. Scaling these efforts without impacting agile processes needs robust tools, consistent policy enforcement, and overcoming resistance from stakeholders who are used to the old ways.”
—Guy Rosenthal

Stop AppSec from slowing down development

Security slowing down the development process is a common complaint — and one that can be addressed through platform engineering, said Matthew Heckathorn, an integration engineer at the Software Engineering Institute in Carnegie Mellon University’s CERT Division. “Platform engineering is focused on providing a secure platform and all its disparate pieces for running a product, such as automated TLS cert handling, secure by default connection configuration, and easy access to things like an API for adding multifactor authentication,” Heckathorn said.

One way platform engineering can help avert security practices that slow down development is to provide developers and cybersecurity professionals with platforms that are secure by default and that they can use to develop and deploy their products, he said.

“This eliminates any product and environmental hardening activities related to security. It also provides a configured platform baseline that can form a basis for determining changes in a product’s security posture between releases.”
—Matthew Heckathorn

DoControl’s Rosenthal said that platform engineering can streamline security practices by automating repetitive tasks and embedding security controls into the development pipeline. He said that cuts down the friction traditionally associated with manual security reviews, allowing development teams to keep up their pace while still sticking to security best practices.

“Security by Design benefits from this because it ensures that security measures are consistently applied without slowing down the development process, leading to faster and more secure software delivery.”
—Guy Rosenthal

MJ Kaufmann, an author and instructor with O’Reilly Media, said platform engineering excels at the automation of tasks, such as automated security scanning, compliance checks, and patch management, by integrating them into the CI/CD pipeline to ensure that security assessments happen in real time and are less intrusive.

“By building them into the pipeline, security is just a part of the build process rather than an extra step that can be pushed off to later due to urgent deadlines.”
—MJ Kaufmann

Those urgent deadlines can be an impediment to Secure by Design, said Jason Soroko, senior vice president of product at the digital certificate provider Sectigo. 

“One of the biggest obstacles to implementing Secure by Design principles is the technology industry’s focus on rapid innovation over security, often sidelining integral security measures in the development process.”
—Jason Soroko

Application security (AppSec) teams thinks that developers don’t care about security, but the reality is that product owners control what the developers work on, said Larry Maccherone, DevSecOps transformation architect at Contrast Security.

“So you must carve out velocity for nonfunctional engineering-excellence work, like security, from the control of these product owners. Having a separate platform engineering group carves out engineering velocity from the control of product owners. Standing up this team when I was head of DevSecOps at Comcast was one of the most valuable things I did.”
—Larry Maccherone

Improved communication and collaboration is key

Platform engineering can also improve communication and collaboration, both important for advancing Secure by Design principles, said Frank Balonis, CISO of Kiteworks, a secure content communications provider. “Usually, when you have complaints that security is in the way, the development team and the security team aren’t in constant communication to understand the process,” Balonis said.

“A developer will develop something, and the only thing they’ll hear from security is this isn’t good enough or there is a problem, without understanding why it’s a problem and how you can improve things so it doesn’t occur in the future. Communications across all parties is what allows secure-by-design to be efficient.”
—Frank Balonis

Balonis explained that with platform engineering, notifications can occur at key points in the development lifecycle. Security teams, for example, can be notified when new changes are being introduced, and developers can be alerted to issues raised or comments made by security. In addition, when a developer introduces code changes, notifications can be sent out to the appropriate personnel to review it for best coding practices and security before they can be fully implemented into the platform.

O’Reilly’s Kaufmann said that platform engineering can help bridge gaps between development and security teams by establishing shared tools, processes, and goals. “Improving communication between these teams enhances collaboration, which is crucial for Secure by Design,” she said.

Even with platform engineering, though, the quality of communications between security and development teams may leave something to be desired. “Most security communications with development is about vulnerabilities, which often comes across as blame,” maintained Contrast Security’s Williams. “At the same time, management is focused on delivering value to production, which takes precedence. Unfortunately, most organizations are stuck responding to vulnerabilities and don’t have enough security experts to do effective platform security engineering.”

However, when platform engineering is done effectively, it can take a load off of AppSec teams and developers alike, Williams added.

“It can foster an environment where security responsibility is minimized, so developers can focus on writing code, security can focus on threat modeling and security architecture, and operations can focus on real incidents and not false positive alerts.” 
—Jeff Williams

Platform engineering: It takes a team

While platform engineering can help implement many of the Secure by Design principles, it can’t do it alone, said CERT’s Heckathorn. “Given that nine out of 10 breaches are due to defects in design or code, the fundamental issue needs to be addressed through the improvement of the quality of the software being written and engineering techniques used throughout the software engineering lifecycle,” he said.

“From a quality perspective, research has shown that one to five percent of software defects are vulnerabilities. Thus, fewer defects will result in fewer vulnerabilities.”
—Matthew Heckathorn

Software engineering starts with requirements and design, Heckathorn said. And when defining new application features, teams must also anticipate ways in which the feature can be misused by adversaries through the performance of systematic, rigorous, and customized threat analysis, he stressed. “While platform engineers should participate in these activities, research has shown that the makeup of the engineering team and their background, or experience, impacts the outcome of threat modeling activities. Thus, teams should include representatives of at least the system users, cybersecurity experts, and the engineers building and maintaining the product,” he said.

DoControl’s Rosenthal stressed that platform engineering is not just about building robust systems:

“It’s about building a culture of security within the organization. By integrating security into the very fabric of the development process, platform engineering empowers AppSec teams to deliver on Secure by Design principles more effectively.”

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by John P. Mello Jr.. Read the original post at: https://www.reversinglabs.com/blog/how-platform-engineering-can-deliver-on-the-promise-of-secure-by-design