Continuous Delivery of Secure Web Applications

One of the premier annual information security events of the year is on this week in San Francisco, RSA Conference. While I've been away from web application security for a while, I've maintained my interest in building secure web applications. This is my time of the year to sync up on the current state of application security and the overall Internet threat level. Yet again this year, the situation is just plain scary. In the article, “Analysis: The near impossible battle against hackers everywhere ”, the author discusses the growing threat level from international governments, organized crime and script kiddies alike.
In the business of Application Release Automation, we have an opportunity to contribute significantly to improved security of the applications we deliver. While web application security audits, penetration tests and application firewalls are typically the purview of the InfoSec team, the very nature of release automation and continuous delivery certainly can enhance the security readiness of web applications. Automation leads to repeatability and that repeatability can be harnessed to foster improvements in the processes involved in the total system. Continuous delivery demands an even higher level of repeatability and reliability in the system. Repeatability and reliability are fantastic system attributes that lead to higher quality software and more secure software.
Given the escalating Internet threat level, I wonder if we should provide a more pronounce focus on web application security as part of the application release automation process. For years the fundamental underlying building blocks supporting application release have included build, test, and deploy, or simply BTD. Security fits in conveniently under the test umbrella in this model. Maybe its time to pull security out and place it on par with it's peers. How about build-test-secure-deploy or build-test-attack-deploy or just BTAD!
As an industry, we are already in the midst of a transformation to continuous delivery. We might as well start implementing continuous security to ensure that the applications we deliver so quickly are more impervious to an escalating onslaught of hacker attacks.