Chapter 3. Infrastructure Security in the Product Lifecycle

The security of intellectual property and the final product, including code, data, defect information, scripts, and production files, relies on the various infrastructure, systems, and devices used throughout the product lifecycle. In this chapter, I will highlight the important processes and controls that you should address for infrastructure security in the software supply chain. Infrastructure security doesn’t focus only on IT-managed platforms or stop when code is complete—it must extend to all platforms and processes (e.g., digital copies, cloud, mobile app stores, development systems, download centers, manufacturing systems, supply chain logistics, services, and end users).

The core tenets of infrastructure security are represented by the CIA (confidentiality, integrity, and availability) triad. Organizations need to embody these tenets in all aspects of their networks in order to have strong infrastructure security. I have seen organizations with strong infrastructure security in their business environments, but little or no policies, standards, rules, controls, or guidelines in the development, testing, and supply chain environments shown in Figure 3-1. Although not having policies may feel liberating, allowing you to design and build products without constraints, it can lead to security gaps. As a software developer, I fully understand the need for freedom, but there must be a balance between flexibility and ...