Building Security In Podcast: Future State Challenges

Episode 4 summary

We’re in the midst of a massive sea change in software security. We started with shift left years ago. Today, we have to worry about provenance, infrastructure-as-code, the software our engineering teams are building to create their pipelines, and supply chain security, among other things. Our security programs have to shift everywhere with that code to provide good security. As everything becomes code, governance-as-code becomes more important, but it is maturing more slowly than many other aspects of “as-code” and automation. As technology moved from mainframes to web, mobile, embedded, and cloud, security maturity did not keep up. For example, guidance is lacking, and the tools market is fragmented. EO 14028 and its downstream guidance are driving a lot of change today but without specific guidance, much of it is just an opportunity to make the same software mistakes again. Let’s take a people, process, and technology view of some upcoming challenges for security executives.

Guest biography

Through his firm Aedify, John Steven advises innovative security product startups as well as CISOs who are maturing software security initiatives. For two decades, Steven led technical direction at Cigital, where he rose to the position of co-CTO. In 2015, he founded the Cigital spinoff Codiscope and became its CTO. When Synopsys acquired Cigital and Codiscope in 2016, it created a new role for him as the senior director of security technology and applied research. His skillset runs the gamut of software security—from managing security initiatives, to cloud security, threat modeling, security architecture, static analysis, and risk-based security orchestration and testing. Steven is keenly interested in engineering-led and software-defined security governance at the cadence of modern development. As a trusted adviser to security executives, he uses his broad experience across building consulting services and day-to-day execution to build, measure, and mature security programs. He has been a coauthor of the annual BSIMM study and served as coeditor of the Building Security In department of IEEE Security & Privacy magazine. Steven is regularly invited to speak and keynote at public and private conferences.