Catalyst has been working with the NZ Transport Agency to open source an innovative tool that automates essential aspects of the security assurance process and will embed security requirements earlier into the product development lifecycle, saving the agency both time and money.
The framework, named the Security Development Lifecycle Tool (SDLT), aligns with common government security classifications and risk assessment practices to deliver "security by design" across the agency's technology teams.
Through a simple form-based interface, the SDLT uses a series of questions to determine the complexity of the end product and will generate additional questionnaires such as Privacy Impact Assessments, or cloud risk assessments – commonly known as the GCIO 105 – to help teams digitally assess and record their security requirements.
The SDLT integrates with workflow management systems such as Jira and provides an audit trail that ensures security assurance has been built into the project delivery from the start. It can be used as part of the process to deliver or procure proof-of-concept products, Software as a Service (SaaS) applications, and scope feature revisions or bug fixes.
By digitising and automating previously document-based workflows, the SDLT will enable the Transport Agency to simplify the security assurance process, reduce spend on unnecessary third-party assessments, and cut the product approval and delivery process from weeks to days.
Better yet, the Transport Agency open sourced the project so that other agencies and interested parties can use the tool for free, potentially saving thousands of dollars and work hours.
The collaboration between Catalyst and the Transport Agency through Agile software development is part of an agency strategy to improve security maturity.
The highly configurable digital platform effectively provides a single point of presence to right-size security assurance across the agency from start to finish. This ensures that all product deliveries are assessed using the same criteria from the start. The SDLT handles information gathering, task creation, workflow-management, and business approvals and should meet the needs of a variety of agencies which require a highly responsive security assurance process.
The source code is available on NZTA's GitHub repository.