Telstra is setting up a new application security and code review team with a global mandate to secure “every line of source code owned by Telstra”.
The new team, dubbed Secure Code, will sit in Telstra’s security operations unit and feed into the software development life cycle “to ensure software is developed as securely as possible”.
This will cover not just internal development efforts but also the work of “offshored developers, vendors engaged on long term MSAs [master service agreements], vendors engaged on short term SOWs [statements of work], or inherited via recent M&A activity (such as Telstra International and Telstra Health).”
“The ability for this team to make a difference to Telstra's overall security posture is vast,” Telstra said.
“There are not many large enterprises in the world who have mature, well-established application security and secure code review programs and so this presents a real opportunity for Telstra to 1) "do it properly" and 2) lead the way with regard to secure software development.”
The team will attack the issue of code security in two ways.
First, it intends to provide “early notification to developers regarding security defects in their code”, potentially cutting the cost to remediate them.
It will also “introduce manual code review during the traditional gated security assessments".
“Manual code review would typically be performed during the final penetration test to ensure all possible vulnerabilities (in particular, business logic flaws) had been discovered prior to go live,” Telstra said.
The team represents a formal adoption by Telstra of SecDevOps – which is designed to “implant secure coding deep in the heart” of the development process, in much the same way development became embedded with operations under the DevOps model.