Software development teams in all industries face a barrage of security threats. In recent years, the healthcare industry has seen a rise in ransomware and other threats to the privacy of patient data. Ransomware attacks were relatively unknown a decade ago but have emerged in recent years with a significant impact on the healthcare industry. Security teams know a great deal about these threats, how they occur, and how to protect the enterprise.
Modern security requirements, tools, and techniques vary in complexity from the obvious and simple to the subtle and cloaked. How do companies help their teams stay updated with current threat tactics and techniques? Enter the Secure Software Development Lifecycle (SSDLC). SSDLC provides a framework for decision-making, helps product owners understand risk, and feeds information from the front line into the development teams where it can be addressed during the earliest phases of software development. SSDLC shifts security left and draws the expertise of security engineers and architects into the discussions early on. Though SSDLC works in any industry, those with data protection obligations, such as healthcare organizations, benefit from the process’s visibility.
SSDLC is comprised of activities that people already do and fit well into any lifecycle, such as waterfall, agile, and DevSecOps. It leverages the best of modern security standards such as Building Security In Maturity Model (BSIMM), The Open Web Application Security Project (OWASP) and The Center for Internet Security
(CIS) to bake-in rather than bolt-on. The process begins with a common approach used in starting any project – a project initiation. Security activities in project initiation include defining business deliverables, data classification, regulatory context, application classification, and shared responsibility. Defining this information at the start provides a sturdy foundation for the next step in the process: threat modeling and establishing security requirements.
Along with user stories and functional requirements, these activities are expected to iterate as the software moves from ideation into implementation. Taking these first two steps identifies the relevant security requirements early on and allows development teams to focus on security requirements throughout the development lifecycle.
For example, in a project that has a requirement to interact with healthcare data that has been classified as “covered data,” the threat modeling exercise will identify security requirements such as “the data must be protected when being stored, transmitted, or processed.” Classifying this data and establishing the security requirements at the beginning of the project allows protection of the patient data to be designed early on.
Now that the security requirements have been established, they make their way into the software teams’ backlog. Next, coding routines are used to develop secure solutions. These routines include the security testing cycles – code review, static and dynamic analysis, fuzz and performance testing, and penetration testing. All of these are vital to providing the best security outcomes for the protection of your data.
Through the checks and balances of a software development lifecycle, the quality of the product can be compared against all the requirements. Risks are clearly illuminated with these methods since all changes to the software are subject to the tests, and progression of the software is denied unless the measurements are accepted. In other words, if the software cannot protect the data, it will be rejected and sent back to the drawing board. With this visibility, product owners may make informed, risk-based decisions at any time.
How can development teams maintain security awareness? We want to think examining and analyzing the threat landscape is top of mind for everyone. Still, developers must keep up with new and changing technologies and evolving coding techniques. This is where the security engineering team can provide valuable guidance in a true DevSecOps fashion.
Everyone needs to know their personal health data is protected. As an industry, this is a top goal of security. Enabling personal health data to move efficiently and securely across systems and boundaries is one of the highest priorities in SSDLC. The safe movement of data is an integral part of improving outcomes and enabling advancements in the industry, pushing healthcare forward.