Last week, while I was at the dev up conference in St. Louis, I caught Kevin Johnson’s presentation called “Rising from the Ashes: Reimagining Information Security in the Era of Integration”. He talked of an ivory tower of infosec (information security) and how it needs to come down. We need to tear down the ivory towers between security and developers. We have also seen software architects in their proverbial ivory towers - those need to come down too! We should include security as part of the discussions at the higher architecture levels as well. In this post, I want to cover some of the things we need to consider in terms of security at the architecture level.
Security Should Not Be an Afterthought
In modern software architecture, application security (AppSec) and information security (InfoSec) play critical roles in ensuring systems are designed to withstand threats from the outset. Software architects should incorporate security principles into the architecture design phase, talking through AppSec practices such as threat modeling, secure coding standards, and regular security assessments and how to architect a solution that can withstand those practices. This proactive approach helps identify vulnerabilities early, reducing the risk of breaches and ensuring compliance with industry regulations.
InfoSec complements this by providing overarching policies and governance frameworks that guide how security is managed across the organization. Architects must collaborate closely with InfoSec teams to align on security requirements, incident response plans, and data protection strategies. The integration of these security disciplines into the architecture ensures that security is a fundamental component, not an afterthought, in the software development lifecycle.
Security needs to be brought in much earlier, as we see that development teams are not commonly aware of the security issues that lurk in their code.
How to Keep Track of the Security?
As software architects, we need to understand many facets of the systems we build and maintain. Security is one of those facets that we need to understand, at least at a high level. But with security ever-changing, how do we keep track of security? These are some of the things to consider.
Continuous Learning and Certification
Some places put a high value on certifications. Enrolling in specialized security courses and obtaining certifications like Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), or Certified Secure Software Lifecycle Professional (CSSLP) can provide in-depth knowledge and validation of security expertise. Online platforms like Coursera, Udemy, and Pluralsight offer various courses focused on secure software design and architecture.
Engage in Security and Conferences
Joining security-focused communities such as the Open Web Application Security Project (OWASP), attending industry conferences like DEF CON, Black Hat, RSA Conference, and BSides, and participating in local security meetups can keep architects updated on the latest threats, vulnerabilities, and best practices.
Hands-on Practice with Security Tools and Techniques
Experimenting with security testing tools like static analysis, dynamic analysis, and penetration testing tools can provide practical insights. Setting up lab environments to practice secure coding, vulnerability scanning, and ethical hacking can enhance an architect’s hands-on skills.
Read Industry Publications and Blogs
Regularly reading articles, whitepapers, and blogs from security experts and organizations (like the SANS Institute, NIST, and security-focused sections on platforms like Medium) can help architects stay informed about emerging threats, security trends, and innovative solutions.
Collaborate with Security Teams
Working closely with AppSec and InfoSec teams during the design and development process helps architects learn about security concerns directly. Engaging in code reviews, security audits, and threat modeling sessions provides practical experience and insights into securing software systems.
Conclusion
Security is often seen as an afterthought in programming, and it shouldn’t be. We need to shift risk left - earlier in our timelines. Bring security into the planning and design phases so that things can be accounted for early on rather than trying to be fitted in later. By adopting these practices, software architects can continuously improve their security knowledge and apply it effectively to design robust and secure systems.