August 23, 2022
TL;DR The software program improvement life cycle (SDLC) has all the time been adopted by useful testing to make sure software program options have all the mandatory options and capabilities. Due to the rising variety of cyberattacks, software program improvement stakeholders have been pressured to implement safety testing as the principle observe in SDLC to forestall vulnerabilities and flaws in functions or software program (belongings). A software program safety evaluation scans for weaknesses with the purpose of stopping unhealthy actors from exploiting these weaknesses. And it’s not simply relevant to at least one part — it’s extra safety at every software program improvement part (design, improvement, deployment, upkeep) and through product supply.
SDLC at Spotify
From an software safety perspective at Spotify, we think about the mindset, procedures, and options adopted inside our group and within the software program improvement life cycle to guard the functions we create and use.
So what are we doing to safe SDLC? Spotify’s software safety program options a number of instruments that scan functions and report vulnerabilities. We name them reactive controls. A kind of reactive controls is Snyk. The lifecycle of vulnerabilities is tracked inside the vulnerability administration platform, offering a approach for asset house owners and operation groups to remediate vulnerabilities and handle dangers in keeping with inner vulnerability administration insurance policies, enhancing safety. Via automation efforts, we’re capable of hold our software program, belongings, and parts wholesome and up-to-date, offering a further layer of power within the safety program. This has allowed us to scale extra shortly and extra safely. As we devour giant portions of software program, akin to libraries, providers, software and infrastructure — every might be topic to produce chain assaults — we wish to ensure that we are able to belief the software program supply and, in flip, stay a software program provider that received’t ship malicious software program to our clients. That is the principle purpose of the safe provide chain initiative — to forestall assaults that may goal any part of the software program improvement life cycle.
We concentrate on two key areas when fascinated about safety testing in SDLC:
- Protecting Spotify’s huge number of languages and package deal managers.
- Having an answer versatile sufficient to combine into the present CI/CD.
To deal with these areas, we built-in Snyk into Spotify’s construct pipeline, giving us the power to scan for vulnerabilities in assessment builds. We rolled this out in phases, prioritizing perimeter providers and providers with entry to delicate knowledge. This device already had help for nearly each language and package deal supervisor that we wished to help, and the Snyk crew had plans to increase help into different areas that had been of curiosity to us.
What it seems like from a developer’s perspective
Spotify has hundreds of engineers, so we had been very intentional when implementing safety testing automation, preserving developer wants prime of thoughts and releasing up the builders to concentrate on their very own priorities. For some languages and frameworks, we’ve routinely embedded vulnerability scanning in CI/CD pipelines, so the adoption has been seamless and hasn’t required any motion from builders. For different languages and frameworks not lined by the automated course of, we’ve offered a easy information for builders to allow Snyk scans as a construct step for his or her software. Now the variety of scanned tasks continues to extend.
The way forward for safe SDLC at Spotify
Assault vectors are evolving as shortly because the software program trade, and it’s essential to offer a holistic strategy to safe software program improvement. One strategy is to routinely generate fixes and merge them with none intervention from the engineering or safety groups. As well as, we’re capable of observe the lifecycle of vulnerabilities through the use of varied APIs offered by Snyk and integrating that knowledge into our vulnerability administration platform. Different approaches embody supply code evaluation, fleet-wide improve by way of automation, and provide chain administration to forestall vulnerabilities by specializing in safety at each part of improvement.
Our mantra inside the Safety crew at Spotify is to maintain risking responsibly. Kudos to the Automation and Instruments squad for sturdy and helpful contribution to safe software program improvement at Spotify. For those who’re thinking about our mission to scale safely, come be a part of us!