Time to put Security into the Software Development Lifecycle

Posted by

On September 4, 2014 WhiteHat and Tasktop announced their partnership, while simultaneously introducing the WhiteHat Integration Server. The WhiteHat Integration Server is an OEM of Tasktop Sync technology, which includes a connector to WhiteHat Sentinel, and a selection of connectors. The addition of security to the Tasktop ecosystem is important for so many reasons.

Security must be deeply integrated into software development and delivery

Information security has been an important topic since the advent of computing, but over the last three years, high-profile security breaches have focused everyone’s attention on ensuring their web applications and sites are not easy pickings for crackers. But even though information security is important for many organizations, ensuring it is a separate activity from their normal development process. That disconnect slows down development since major security decisions are often left to the end. Agile and Continuous Delivery have taught us the value of integrating the disciplines, but for many organizations that integration is difficult. The release of the WhiteHat Integration Server and the creation of a Tasktop Sync connector for Sentinel provide automation that connects security vulnerabilities to defects, stories, issues and the rest of the lifecycle artifacts. This will allow organizations that use WhiteHat to embed security into the software development lifecycle earlier – reducing rework, increasingly quality, visibility and ultimately improving time-to-market.

Complete information enables better decisions

Software delivery, like all business processes, is about trade-offs. As software professionals we have to balance the needs of time to market, architecture, features and quality. The iron triangle of software delivery tells you that when considering quality, features or cost – you can have only two. But the most worrying part of these compromises isn’t the fact organizations are making them, it is that they are making without a complete view of all the information. Feature Leads are making decisions about their ever-growing list of features; testers are looking at defect lists; and project managers are trying to work out what to do with a project plan that is no longer valid. Security is yet another trade-off to make, and the use of WhiteHat Sentinel provides you with great information on what, why and how security vulnerabilities and issues will undermine your website or web application. But often this information is separated from the other defects, requirements and issues. Without a complete, single view of the truth, software delivery and business leadership are making decisions without all the facts. With the release of the WhiteHat Integration Server, organizations can synchronize the security artifacts into the right reporting and planning tools, enabling decisions to be made based on a more complete view of the truth.

It is all about flow, not access

Initial attempts to provide developers access to the information from security tools have focused on the IDE, allowing security observations to be surfaced within the developer’s IDE. The release of the WhiteHat Integration Server surfaces these observations, but in a different way. Instead of just enabling security vulnerabilities to be surfaced in the IDE, the integration server synchronizes the information into the tools managing the work for development – at a server level. By synchronizing security vulnerabilities with tools such as JIRA, Microsoft TFS, IBM RTC, Rally, or VersionOne, a developer will get a consistent and integrated view of their work, rather than a separate list of work items from the security tool. This allows them to manage security work in the same manner as other work. This is not only a key objective for development approaches such as Agile development, but also fundamental to building high-performance teams. By synchronizing the security information, you also have the ability to extend information in both artifacts, allowing the work item in a tool like JIRA to add additional development specific information without complicating the security artifact.

It’s more important than ever to connect security teams to their colleagues

The bottom line is that security – like the PMO, Agile teams, quality and service management – must be integrated in real-time to allow rapid, agile, and informed software delivery. The release of the WhiteHat Integration Server enables customers of WhiteHat to take the next step – connecting their security professionals to the rest of the software development and delivery lifecycle, in real-time. And from a Tasktop point of view, this is another BIG STEP in our mission of connecting the world of software delivery. Things continue to get more exciting and more secure at Tasktop. Dave