Today we are pleased to share with you an alpha draft of our secure development and deployment guidance. You may be wondering, ‘who this is aimed at?’ And ‘why is it in alpha?’ This blog post will answer those questions.
We have noticed the steady growth of agile development using continuous integration and delivery. You probably have too. Well, one of the chief characteristics of this relatively new approach to software development is increased automation. This puts incredible power in the hands of the developer, allowing entire system architectures to be defined in code and tied to tooling which will automate both testing and deployment. There’s a lot going for this approach, you can see why it’s catching on so fast.
But (there is always a ‘but’) with this power comes a new set of risks and security considerations. It’s these which our guidance addresses. We’ve tried to ensure that every recommendation is possible. And though there might be some pain were you to adopt our advice wholesale, now is the time to make the effort – before insecure practices have had time to take root culturally.
The primary audience for this guidance is development teams practicing continuous integration and deployment, an approach which is more common for the development of digital services. Despite this, we hope the advice we give will be of use to everyone involved in software development and procurement, whatever your style of development.
That’s quite ambitious – ‘everyone.’ But the guidance itself is high level: there is no language-specific advice. It’s human readable. Our goal is to help secure the entire process of software development, so we’ve looked at everything from establishing a security-friendly culture, through to implementation and ongoing management. This work is complementary to our existing design guidance.
We are publishing this guidance as alpha, acknowledging that we are dealing with a new and rapidly evolving field – one in which there are still questions to be settled about best practice. We welcome your feedback to help us refine our advice, before moving it to ‘beta’ and ‘live’ versions.
And, due to the nature of the guidance, it seemed appropriate to share this with you on Github first. We welcome your feedback through comments and pull requests. Once the alpha period is completed, we’ll integrate the suggestions we receive and publish a beta on our website.
Source: National Cyber Security Centre