In Noopur Davis' estimation, cybersecurity, like the foundation of a house, must be formed early in the product and service development cycle, rather than something that's applied toward the end of a project.

Davis, EVP and chief information security and product privacy officer at Comcast, has taken this approach head-on as the company pushes ahead on a multi-year Secure Development Lifecycle (SDL) initiative that now reaches into all corners of Comcast's business – from internal systems to various residential and business products and services.

Figure 1: 'At our scale, things take time. There are few places where you get to do engineering at this scale,' says Noopur Davis, a former Intel exec who joined Comcast in 2016.
(Image source: Comcast)

SDL, a practice also known as DevSecOps or "shift left," has become a cornerstone at Comcast under Davis, an exec who served as VP of global quality at Intel's Security Group before joining Comcast in 2016. She now heads up the full gamut of cybersecurity and product privacy functions for Comcast's cable business.

"The main point of SDL is to make sure we are thinking about and actively doing things to make sure we're building security in as we're building our products and services," Davis says.

"When you're building [security] in, it becomes like the DNA of that product or that service. It's inherently an attribute of that product or service."

Layering in security further down the chain is a model that is still followed, but it comes with more risk.

"It can be successful, but it is never as hardened as when it is baked in," Davis explains. "It's more expensive when you do it at the end. And it is not as effective."

Davis says she has worked and explored this work for about 20 years, going back to her time at Carnegie Mellon University, where she was a visiting scientist and senior member of the technical staff of the schools' Software Engineering Institute.

She says weaving security through the entire process of product and service development at Comcast, and having it integrated at all levels of the company has been, thus far, a five-year journey that includes not just Davis' team, but almost all aspects of the company's business.

"At our scale, things take time. There are few places where you get to do engineering at this scale," she says. "It does take a lot of work across the engineering organization. It's a true team effort."

Operationalizing SDL

But to operationalize it, Comcast underwent a systematic approach that spanned a handful of "pillars," Davis explained.

The first thing was to build a community through the creation of a "security guild" that included technologies from across the company, not just people from Davis's team.

"These are like-minded people who are interested in this area and kind of pull-in the rest of the company," she said.

Another key area is "craftsmanship" that uses a martial arts-style approach whereby technologists start with training for a yellow belt, and eventually achieve an orange belt and green belt. A select group get to the black belt level.

Davis says engineers come out of school knowing how to code, but don't necessarily know how to code securely. "Not many universities are teaching this," she said.

Other pillars include security practices, a framework that involves top execs from different parts of the business, and a way to quantify performance.

Swatting security threats

A product that originated from the SDL model is, aptly enough, xFi Advanced Security, a cybersecurity product that is offered for no added cost to Comcast's broadband subs on eligible operator-supplied gateways. Comcast estimates that xFi Advanced Security has already blocked more than 1.6 billion threats this year alone.

Davis says this kind of security is increasingly necessary as more and more devices are connected to the home network. That includes not just laptops, smart TVs and streaming devices, but various screen-less IoT gadgets such as smart locks and connected cameras.

And while Comcast's work in the cybersecurity arena started "anywhere there is code," it's now expanding to "low code" or "no code" products and services, such as third-party systems that interface into the company's ecosystem.

Want to know more about security? Check out our dedicated security channel here on Light Reading.

"We have really cast a very wide net," she says.

Other spots along that journey will include applying security to so-called "zero trust" scenarios, in which no trust is placed on networks.

That's become increasingly important at a time when many employees work from home and are operating outside the protected perimeter of the corporate network, Davis explains.

Related posts:

— Jeff Baumgartner, Senior Editor, Light Reading