Achieving security by design

Achieving security by design

Derek Holt argues that security and testing must always be part of the Value Stream Management (VSM) discussion

Software applications are playing an increasingly large role in our lives, both at home and in work. As consumers, our interactions with mobile and web apps often define how we view a brand. A slick, responsive and useful app will lead to satisfied and engaged customers, while a slow and buggy one will lose customers to more digitally competent rivals.

This is reflected in the workplace where the consumerisation of enterprise technology means we have come to expect the same high quality in business apps as we experience from personal ones. As well as the plethora of externally developed tools we use every day, many larger organisations have now developed their own web and mobile apps for internal and back-office purposes. Whether to attract and retain customers or talent, there is a heightened expectation of quality and a growing pressure on development organisations to deliver.  

Alongside functioning smoothly (i.e. high quality), applications must be highly secure. Applications with poor security can lead to serious data breaches, affecting the app’s users and the company. One doesn’t have to look far to find a headline outlining a breached application which has exposed the personal and financial details of customers or employees. In today’s world these breaches not only cause challenges for users but can bring the enterprise to the brink. Threat actors are also constantly on the prowl for poorly secured apps that will allow them to access corporate networks and execute even greater attacks. It is increasingly important for apps to be developed to a principle of being secure by design, rather than security being a late addition or afterthought.

As a result, quality and security are two vital elements of the development lifecycle for meeting user expectations, and subsequently creating value for the business. For years we have talked about shifting both quality and security “left” in the development and delivery process to address both dimensions earlier and more often. Despite these trends however, these two crucial fields are still too often deprioritised.

Don’t side-line quality and security

As developers strive to shorten their product lifecycles and get to market as soon as possible, it has become increasingly important to optimise their processes. Value Stream Management (VSM) is one of the most recent strategies for achieving this, building on previous methodologies such as agile, lean and DevOps.

VSM aims to establish a fully integrated view into the product development lifecycle, providing visibility across teams, tools, and processes. Decision makers can easily identify bottlenecks or areas for improvement, and access operational data to help pinpoint the improvements that will create the most value. Unlike past approaches, VSM does not stop at the optimisation of the development and delivery of software solutions, rather it strives to map technical investments back to business value and break down the silos often found between software delivery pipelines and the business. While not a new concept for digital native companies, VSM has taken on accelerated importance as more traditional industries become increasingly digital.

While VSM (and the building blocks of Agile and DevOps) have always included quality and security, the growing critical nature of both continues to be overlooked. Both areas tend to be regarded as specialist functions that are carried out at the end of the development cycle as the product nears release.

This is a serious mistake because the sooner a security vulnerability or performance bug is discovered in the development lifecycle, the easier and cheaper it is to fix and as an application gets closer to release, more code may need to be analysed and unpicked to get to the root of the issue. While software products have the luxury of the post-release fix, this requires more resource and risks damaging users’ experience and security.

Different development domains are still heavily siloed, with each team focused on their own area and simply handing over to the next team for the next phase. If the quality testing team finds an issue or the security team identifies a potential vulnerability, it gets passed back to the relevant department for the fix. This is an extremely inefficient way of handling things, creating unnecessary work and lengthening the lifecycle.

Bringing security and testing into the core of VSM

The concept of VSM is centred around creating a unified, collaborative approach that improves the value of each part of the development cycle, as well as the value and customer satisfaction delivered by the final product. Aligning development activities with targeted business value and business outcomes, ensures organisations are not only building a solution the right way, but ultimately building the right things. This newfound speed and business value alignment can, however, quickly come to a halt when security and quality are not a core, integrated and hopefully automated focus throughout the lifecycle. When security and quality testing are treated as follow-on activities or left out of this process, it is impossible to achieve a truly unified lifecycle and unneeded risks and costs are often encountered.

When all elements of the development process are brought together, it is easier to gain an overview of the entire lifecycle and harvest valuable data from every step involved. Whereas a few years ago this would have been far too much data for any human team to manage, rapid developments in AI and machine learning mean that data streams can be fully analysed and put to good use informing tactical and strategic decision making.

Aiming for security by design

A truly unified approach is also crucial for effectively delivering a product that is secure by design. With a single vulnerability potentially leading to a breach costing millions and customers flocking to the competition, no developer can afford to release an application without extensive protection.

Security features, such as code obfuscation and defensive measures that detect suspicious behaviour, should be an integral part of the product’s DNA. It is essential for security teams to be seamlessly engaged with all aspects of the development organisation both early and often. Likewise, there must be adequate time for continuous security testing, rather than positioning it as a final barrier to overcome. Addressing security must become a more collaborative activity across the different teams of the development process.

Focusing on quality and security in 2021

Recently, expectations around software have grown exponentially, and a slow or buggy application can be enough to convince a customer to take their business elsewhere. The consumerisation of enterprise technology also means that business users expect the same quality and ease of use from workplace applications as they do from personal ones.

From this perspective, quality testing is one of the most valuable elements of the development lifecycle, helping to ensure that the application’s performance meets the userbase’s lofty expectations. This includes not just functional quality, but many other dimensions including performance, accessibility and more. Similarly, with threat actors increasingly on the prowl for vulnerable remote workers, the attack surface available to cyber criminals has grown exponentially, as has the impact of a breach. Security must be baked into the core of the application following the principle of security by design, not regarded as an additional step at the end of the lifecycle. Indeed, an application that is poorly secured cannot be called a quality product, so in many ways a security issue is a quality issue.

Quality and security are common expectations for all software products. By ensuring that security and testing are solidly integrated into the lifecycle through VSM, developers can create more efficient processes, ensure the product hits the mark, and that business value is always achieved.

Derek Holt is GM Agile and DevOps at

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

Colorado Passes Consumer-Data Privacy Bill

A data privacy bill has been passed in Colorado that gives residents the right to delete any personal data collected by companies, and to stop companies from collecting their data…

Virtual Currency

A virtual currency, unlike conventional currencies, is a currency not issued by any bank. Some examples include Bitcoin, Litecoin, etc. Generally, digital currencies are stored in and traded through software,…

Carnival Cruises hit by fourth data breach in 18 months

Carnival Cruises, one of the world’s largest cruise ship operators, has confirmed that it suffered another data breach in mid-March.

Related Articles

[s2Member-Login login_redirect=”” /]