Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Security assurance concept for your business

By Dmitry Vyrostkov
Software-as-a-Service
March 23, 2021

In the current environment, it is wise to incorporate security into your software development lifecycle as early as possible. Historically, security checks were a pre-release gateway for a software team: if you passed, your product/service could go to production. At the same time, security checks used to require a code and environment freeze, while audit preparations led to chaos and a non-systematic approach in collecting important security documentation. All these elements led to a bottleneck for the project team. However, a long wait for security testing results is no longer an option since the typical project pace has significantly increased. Various project models suggest their own approaches for introducing security into software development.

For example, in the Spotify model, it is recommended to look for “security champions” - active members of a team with dotted-line reporting to a central Security Team. Classic scrum-based models assume that a project team and product owner are responsible for cybersecurity. The main question is how to achieve acceptable results since most developers are not security professionals and only a few have security knowledge. Consequently, each project requires dedicated security specialists.

Why do we need security experts on our projects? As mentioned above, only some developers can boast any expertise in information security. Moreover, it would be almost impossible to pass an external audit for compliance with common regulations without security specialists on your team. For example, one globally known PCI DSS regulation requires companies to to develop applications securely, design and implement secure Cardholder Data Environment as well as perform regular vulnerability scanning, penetration testing, and security code reviews. Having a security expert on a project is also a competitive advantage since providing security by default opens the doors for large projects and contracts.

Let’s see how we can integrate a security team in a scrum-like process. There is a strong need to work on security at an earlier stage in the development cycle (requirements stage), even before any coding. The approaches to building a security process differ from company to company, but the goal of the process is to design and implement software that protects the company’s data and resources, meets security requirements, and is resilient in the face of security vulnerabilities and failures. Many companies call this process “Security Assurance”. Following are the typical steps to take in setting up a Security Assurance process:

  1. Compliance management. It is best to start with regulation identification relevant to the product/service, then move on to gap analysis and response statement preparation. It is also necessary to model the set of technical controls and address any gaps for security requirements in a product/service.
  2. Threat modeling and risk assessment. Set up a process by which potential security threats can be identified and enumerated. Once this is done, a project team should understand what the risks are and identify the potential impact of these threats. All these answers could help in planning mitigation controls and reducing the probability of any security breach.
  3. Security requirements management. Here we take into account existing security requirements and policies together with security best practices and risk assessment results. It is important to integrate all of these into development and configuration guidelines as well as ensure that each security requirement is addressed properly in user stories. This involves business analysts who work closely with security teams in order to avoid missing anything.
  4. Security architecture reviews. Security reviews are designed to discuss mechanisms suggested by the team and analyze whether they address the security requirements previously defined. The team could further work to identify relevant security mechanisms and controls and customize them according to project needs. Examples of such features and controls are public key infrastructure, cryptography and secrets storage, authentication services, access control, and security event logging. In addition, security experts are also available for ad-hoc consulting sessions and security onboarding as well as education for team members.
  5. Security testing by QA. The aim of such an exercise is to close the security verification gap since only QA can validate how the security requirements have been actually implemented in the software. One might ask "why should QA do this when we’ll be conducting penetration testing?” However, the goals and methodology of penetration testing are different - the pentesting team sees only the tip of the iceberg (and they could also have no time to perform in-depth testing, as the scope of a pentest is usually limited to a specified time frame). In contrast, regular QAs can perform a subset of tasks that are typically run during the pentest, either during every release or significantly ahead of it. That would help software go into production much quicker since a pentest would likely result in fewer issues and the team would already be prepared.
  6. Prerelease security verification. This is a standard set of security testing activities that includes secure code review, pentests, and infrastructure audit.

This list could be longer. Depending on the budget and stakeholders' decisions, it could also include an Automated Security Testing initiative known as DevSecOps, which integrates security checks even further into the development flow, or mandatory security education as part of project onboarding procedures - each person should complete general security and compliance awareness training and role-specific courses.

Overall, setting up the Security Assurance process establishes a systematic, risk-based view of cybersecurity. It offers benefits to any business:

  • Security Assurance minimizes the risk of security pitfalls, meaning less frustration for your clients. Sometimes a sophisticated Security Assurance program guarantees protection against lawsuits.
  • Security Assurance thoroughly prepares your company for any incoming security audits.
  • Dedicated security specialists can save your project teams from boring security tasks.
  • Your solution will be indeed more secure.
KEYWORDS: cyber security data security risk management software security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dmitry Vyrostkov is Chief Security Officer of DataArt.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Top Cybersecurity Leaders
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Colorful laptop

Organizations Think They Know Who’s Visiting Their Sites. They Don’t.

Glasses in front of coding on screen

5 Ways Quantum and AI Will Rewrite the Rules of Cyberattacks

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • SEC0421-Edu-FEAT_MAIN_1170x878px

    7 top tips for buying the best video analytics software for your business

    See More
  • cyber-insurance-fp1170xv45.jpg

    Why cyber insurance protection is mission-critical for your business

    See More
  • establish a cybersecurity framework for your enterprise

    Establishing a cybersecurity framework for your business

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing