In a day and age when the prime directive for many organizations is to seek digital agility above all else, cool new apps get conceived, assembled and deployed at breakneck speed.
Related: DHS instigates 60-day cybersecurity sprints
Software developers are king of the hill; they are the deeply-committed disciples pursuing wide open, highly dynamic creative processes set forth in the gospels of DevOps and CI/CD.
In this heady environment, the idea of attempting to infuse a dollop of security into new software products from inception seems almost quaint. I recently sat down with Rohit Sethi, CEO of Security Compass, to discuss why this so-called product security gap inevitably must be narrowed, and why there are encouraging signs that should be what happens, going forward, albeit incrementally.
For a full drill down on our wide-ranging conversation, please give the accompanying podcast a listen. Here are key takeaways.
History of product security
It has become all too common today for an organization to commit to what Sethi calls a fast-and-risky approach to building new software products. In a race gain a competitive edge, companies do whatever it takes to deploy new software products as quickly as possible. As a nod to security, nominal static analysis and maybe a bit of penetration testing gets done just prior to meeting a tight deployment deadline.
This, in fact, was the same general approach to developing and deploying new software that existed in early 2002 when Bill Gates slammed the brakes on all Windows development to focus on implementing Trustworthy Computing. Microsoft, at the time, was on the brink of getting swallowed up by potent self-spreading Windows worms like SirCam, Code Red, ILoveYou and Nimbda. So Gates directed billions of dollars towards the adoption of Security Development Lifecyle, or SDL, a systematic approach to infusing product security at the start of the Windows development process.
Gates deserves credit for raising the bar of product security. Since he coined Trustworthy Computing and Microsoft strategically embraced SDL, it has become a common practice to integrate security requirements, design reviews and threat modeling into the software development cycle. But now, of course, digital transformation has changed everything.
Those methods are becoming outdated, Sethi told me. They just cant keep up with the way that people build software today. People build very quickly, and then they ship it out. And right before shipping, theyll do a bunch of security checks . . . They may or may not fix anything they find, because their deadlines are tight. This works well until theres a breach, and then you have to go back and explain why you never integrated security from the onset of development.
11th hour inspections
Digital transformation has turned back the clock on product security. And this time around, the coding flaws of concern arent limited to one operating system; the risks present themselves all throughout the digital landscape, wherever software connections get made between humans and machines, as well as from machine-to-machine.
Product security has become a numbers game. A typical situation is for an enterprise to have a small team of product security professionals working on several hundred software products in different stages of development, Sethi says. Ideally, a certain level of threat modeling and security requirements would get done on every project. But in practice, the developers are doing well if they get to the most critical ones, Sethi says. After that, it comes down to slipping in a round of eleventh-hour inspections: static analyses, and perhaps a bit of penetration testing just prior to meeting a deployment deadline.
Observes Sethi: Threat modeling is quite time-consuming and requires a lot of expertise, so not everybody even does this. It requires, for example, drawing out the trust boundaries within the architecture of the application to gain an understanding of where trusted and untrusted data is coming in, and then determining if there are any ways to attack the system, such as spoofing or tampering data.
Its not uncommon to have a team of six or eight people assigned to a thousand applications, so theres no way they can do threat modeling on all of them. So they prioritize and work on the crown jewels, and rely on tools to find any security vulnerabilities after the fact.
In todays environment, implementing Microsoft-style SDL best coding practices, done manually by a small team, could add weeks to the deployment schedule. SDL practices may run counter to frameworks like CI/CD, which stands for Continuous Integration/Continuous Deployment. Software developers today work as swiftly as they can on small chunks of coding, or microservices, cobbled together inside of software containers, which they place into a code repository, such as GitHub.
This gives other developers easy access to many chunks of coding. Developers are free to modify, add to or utilize endless small chunks, and out of the other end comes a new app that gets deployed into service, with no human intervention.
Returning to security-by-design
The cybersecurity community isnt blind to how DevOps the melding of development and operations teams to speed delivery of new apps and its core CI/CD component have vastly expanded the attack surface of business networks. Modern-day software development produces vast swaths of new microservices, and the software containers the sit in, that do not adhere to very basic secure-coding practices.
Can anything reverse this trend, going forward? The steady advance of the SecOps and DevSecOps movements which push security to the left of software development timelines hold promise narrowing the product security gap over time. Security Compass is among a group of vendors innovating new tools and services to bring machine learning and advanced automation increasingly into this mix.
Sethi
Security Compass, for instance, supplies a platform that allows development teams to manually or automatically describe the system they are building; this specifies what the application is and what functionalities it includes. This information gets automatically correlated to a comprehensive knowledge base of potential security and compliance issues, which triggers creation of corresponding countermeasures and controls that are added automatically to product backlogs. Thus, automation helps to weave security-by-design best practices into daily workflows. The company coined the market term Balanced Development Automation for this approach to DevSecOps.
Again its a numbers game. No one is claiming you can write 100 percent secure code, Sethi told me. But if 80 to 90 percent of the security vulnerabilities we see getting exploited are preventable, which I believe they are, and if you could get to even half of that, then youd have almost half as many breaches, and that represents billions of dollars of economic value.
Clearly, striving for software thats secure by design, as well as highly agile, is doable and something that needs to get done, the sooner the better. Ill keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/rsac-insights-security-compass-leverages-automation-to-weave-security-deeper-into-secops/
More:
- Automation Personnel Services - Temporary Staffing ... [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Automation | Define Automation at Dictionary.com [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Automation | Definition of automation by Merriam-Webster [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Automation | The Car Company Tycoon Game [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Automation - Wikipedia, the free encyclopedia [Last Updated On: March 25th, 2016] [Originally Added On: March 25th, 2016]
- Automation - Cloud process & workflow automation | Microsoft ... [Last Updated On: June 29th, 2016] [Originally Added On: June 29th, 2016]
- Riverside Automation - Machine Controls [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- Automation: The Car Company Tycoon Game Windows - Mod DB [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- System Integration | Industrial Automation [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- WinAutomation - Smart Macro Recorder, Web Automation ... [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- Automation Solutions - Home [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- The Automation Conference [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- Rohtek Automation [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- JL Automation, LLC | Home Automation, A/V Automation [Last Updated On: July 3rd, 2016] [Originally Added On: July 3rd, 2016]
- Four fundamentals of workplace automation | McKinsey & Company [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- Leviton Security & Home Automation [Last Updated On: August 27th, 2016] [Originally Added On: August 27th, 2016]
- EVA Automation [Last Updated On: September 6th, 2016] [Originally Added On: September 6th, 2016]
- News | Automation | The Car Company Tycoon Game [Last Updated On: September 6th, 2016] [Originally Added On: September 6th, 2016]
- Automation - The Car Company Tycoon Game on Steam [Last Updated On: September 6th, 2016] [Originally Added On: September 6th, 2016]
- Test automation - Wikipedia, the free encyclopedia [Last Updated On: September 6th, 2016] [Originally Added On: September 6th, 2016]
- Job Seekers - Automation Personnel Services [Last Updated On: October 8th, 2016] [Originally Added On: October 8th, 2016]
- Custom Automation & Machine Design | Automation GT [Last Updated On: October 31st, 2016] [Originally Added On: October 31st, 2016]
- iAutomation [Last Updated On: October 31st, 2016] [Originally Added On: October 31st, 2016]
- Test automation - Wikipedia [Last Updated On: November 16th, 2016] [Originally Added On: November 16th, 2016]
- Automation - Official Site [Last Updated On: November 19th, 2016] [Originally Added On: November 19th, 2016]
- Beckhoff Automation - Wikipedia [Last Updated On: November 21st, 2016] [Originally Added On: November 21st, 2016]
- Automation - Security Hyperstore [Last Updated On: November 21st, 2016] [Originally Added On: November 21st, 2016]
- IT Automation - BMC [Last Updated On: November 29th, 2016] [Originally Added On: November 29th, 2016]
- ID Automation [Last Updated On: November 29th, 2016] [Originally Added On: November 29th, 2016]
- The Best Home Automation Systems of 2016 | Top Ten Reviews [Last Updated On: December 24th, 2016] [Originally Added On: December 24th, 2016]
- What is Home Automation? | Home Automation Systems [Last Updated On: December 24th, 2016] [Originally Added On: December 24th, 2016]
- Beyond Automation - hbr.org [Last Updated On: December 25th, 2016] [Originally Added On: December 25th, 2016]
- Build automation - Wikipedia [Last Updated On: December 26th, 2016] [Originally Added On: December 26th, 2016]
- Home automation - Wikipedia [Last Updated On: January 10th, 2017] [Originally Added On: January 10th, 2017]
- Automation | Food Engineering [Last Updated On: January 13th, 2017] [Originally Added On: January 13th, 2017]
- Home Automation - Enerwave Home Automation [Last Updated On: January 14th, 2017] [Originally Added On: January 14th, 2017]
- Automation - DESHAZO [Last Updated On: January 14th, 2017] [Originally Added On: January 14th, 2017]
- Robots, Automation, EOAT, Grippers, Conveyors, Guarding [Last Updated On: January 26th, 2017] [Originally Added On: January 26th, 2017]
- Werner Electric | Automation [Last Updated On: January 28th, 2017] [Originally Added On: January 28th, 2017]
- Automationtechies | Automation Engineering Recruiting [Last Updated On: January 28th, 2017] [Originally Added On: January 28th, 2017]
- Automation - Mazak Corporation [Last Updated On: January 28th, 2017] [Originally Added On: January 28th, 2017]
- Automation | Technologies | Systems | Integrator ... [Last Updated On: January 28th, 2017] [Originally Added On: January 28th, 2017]
- Test Automation Services for Development of Regression ... [Last Updated On: January 28th, 2017] [Originally Added On: January 28th, 2017]
- Carlo Gavazzi Automation Components [Last Updated On: January 30th, 2017] [Originally Added On: January 30th, 2017]
- UI Automation Overview - msdn.microsoft.com [Last Updated On: February 5th, 2017] [Originally Added On: February 5th, 2017]
- New telecom transformation goals require service automation - TechTarget [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Global Hazardous Waste Handling Automation Market: By Products ... - Business Wire (press release) [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- 2M Automation wins IoT support from Schneider - Electronics EETimes (registration) [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Futures Shaped by Automation and Catastrophe: Peter Frase on Capitalism's Endgame - Truth-Out [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Automation expected to displace insurance underwriters, real estate brokers - CIO Dive [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Automation, robots could replace 250000 public sector workers in the next 15 years - Computer Business Review [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Design Automation Conference - Business Wire (press release) [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- The Perks Of Automation And The Risks: Why To Think Twice About Getting Into That Driverless Uber - Forbes [Last Updated On: February 6th, 2017] [Originally Added On: February 6th, 2017]
- Lib Dems Should Embrace Automation of the Workforce - Liberal Democrat Voice [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Voices Reinventing enterprise finance by overhauling AP automation - Accounting Today [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- How Accountants Can Use Automation Their Advantage - Accountingweb.com (blog) [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- DFLabs Launches the First Security Automation and Orchestration Platform based Upon Supervised Active Intelligence - Business Wire (press release) [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- QAD Automation Solutions is Honda Approved - Yahoo Finance [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- VIDEO: Going Big on Automation in a Small Footprint Facility - ENGINEERING.com [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Building a better model of human-automation interaction - Phys.Org [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- AlixPartners examines automation in manufacturing and logistics management - Logistics Management [Last Updated On: February 7th, 2017] [Originally Added On: February 7th, 2017]
- Report: Test automation is increasing - SD Times - SDTimes.com [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Automation is the unavoidable future of the economy - The Daily Cougar [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- GM's Cruise Automation Is Testing An App to Order Self-Driving ... - Fortune [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Speeders beware: Legislation would allow automation crackdown ... - SFGate [Last Updated On: February 9th, 2017] [Originally Added On: February 9th, 2017]
- Orbita Ingenieria: New Age Terminal Automation - Port Technology International [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- A Sharper Focus on the Edge - Automation World [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Rockwell Automation Surged 10% in January as Growth Picked Up Steam - Motley Fool [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Most people are optimistic about workplace automation, social data suggests - ZDNet [Last Updated On: February 10th, 2017] [Originally Added On: February 10th, 2017]
- Improving Behavior Through Automation of Vehicle Systems - School Transportation News (blog) [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- 'We employ insane levels of automation' Kris Canekeratne - Times of India [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- Why Don't We See More Automation in Federal Networks? - Nextgov [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- Technobabble: Automation and the modern worker - CIO Dive [Last Updated On: February 11th, 2017] [Originally Added On: February 11th, 2017]
- Readers Write (Feb. 12): The moose population; jobs, start-ups and automation; diversity in the funny pages - Minneapolis Star Tribune [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Automation Nightmare: Philosopher Warns We Are Creating a World Without Consciousness - Big Think [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Automation can replace bureaucrats and save taxpayers money - Hot Air [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- Automation can revitalize the US workforce - Fox News [Last Updated On: February 12th, 2017] [Originally Added On: February 12th, 2017]
- TigerStop hopes to ride automation to new heights - The Columbian [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- Hexadite Unveils Custom Playbooks Following One Millionth Automated Cybersecurity Investigation - Yahoo Finance [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]
- NEC updates postal automation system for Hongkong Post - ETCIO.com [Last Updated On: February 13th, 2017] [Originally Added On: February 13th, 2017]