For Thanksgiving, let’s talk about what we’re thankful for: the trends, processes, and technologies that have had a positive impact on software security.
For those of us in the business of software security, it’s easy to have an adversarial view. After all, we wouldn’t need to worry about the security of software if malicious actors weren’t constantly on the lookout for vulnerabilities to exploit. In this column, for example, we’ve talked about top cloud migration security risks, how to prevent ransomware attacks, and the worst web app security issues. But for the upcoming Thanksgiving holiday in the U.S., let’s take a break from talking about risks, issues, attacks, and other threats. Let’s talk about what we’re thankful for instead. Here are some of the trends, processes, and technologies that have had the most positive impact on software security in the last few years.
What has had the most positive impact on software security so far?
Three key areas have had a huge impact in organizations wanting to move toward DevSecOps and building security in:
Breaking down silos. Instead of waiting to fix bugs and vulnerabilities until after they wreak havoc on your applications, treat security issues like any other bug within your DevOps process. Security should not be a separate entity from which developers only receive feedback when security issues are identified. Additionally, finding the proper collaborative automated tools to enable the development, QA, and security teams to work together is an important element in DevSecOps.
Facilitating collaborative change. Organizations seeking to bridge the gap between DevOps and security, while maintaining productivity and solution time to market, oftentimes don’t realize that changes are required throughout the organization. Just like continuous integration, continuous delivery, and continuous deployment, there also must be continuous collaboration, continuous communication across development, security, and operations teams, and more.
Training and building security champions. Establishing a training and security champions program allows members of development teams to learn and volunteer to build software security skills and awareness through mentoring, training, and working closely with the application security teams. These security champions form the front line when it comes to guiding development teams on application security and bridging the gap that exists between DevOps and security teams.
—Meera Rao, senior principal consultant, Synopsys
I see two software security trends across the board—one on the technology tools side and the other on the engineering side.
On the tools side, most of it is focused on IAST (interactive application security testing) and DAST (dynamic application security testing)—new technologies that will revolutionize application security. I’ve not personally bought into the whole thing yet—it’s pretty rough when you test it out—but the promise is there. It will help.
Second is solutions-oriented application security. AppSec teams have focused on finding issues and then having developers fix them. Things are slowly changing to building solutions that engineers can use.
This is the direction that we are going at Dow Jones. We’re trying to build common solutions for issues around authentication, encryption and cross-site scripting—that kind of stuff.
It’s easier for us to develop a solution for a particular technology and then tell the developers, “Hey, do you want to use authentication? Here’s a library, a pattern or a tool to use.” That kind of solutions-oriented engineering security is gaining traction.
—Jay Kelath, director of product security, Dow Jones
A hybrid cloud strategy has always promised and delivered reduced costs, increased agility, improved operational efficiencies and greater ability to accommodate new technological advancements. The biggest question for financial institutions is whether the combination of traditional on-premises storage with public and private clouds provides sufficient security and governance measures to withstand constant threats of fraud and data breaches. …
The irony is that while hybrid cloud environments can create security risks because organizations constantly move data between private and/or on-premises environments and a public cloud, they also can enable greater disaster recovery and increased data security. As a result, banks will be in a much better state to achieve regulatory compliance. That’s because it’s often easier to protect data when it’s in a single place rather than spread across multiple silos across the organization. Additionally, cloud vendors have a huge vested interest in ensuring data security.
—Steven Totman, managing director, financial services, and Richard Harmon, managing director, financial services, Cloudera, Hybrid Cloud’s Impact on Financial Services Security
In addition to a need for secure software (and we and several other companies have a business in this area), there is an emerging trend to make sure that the underlying hardware is also secure. At Synopsys we have a large business enabling semiconductor design, providing electronic design automation software tools, and chip design building blocks. We’re hearing increasingly from our partners that they want to build not just a super-cool and highly functioning chip, like an IoT device, but they also require a secure IoT device. They want to make sure that not only the software running on that chip is secure but the underlying hardware is secure as well. It’s exciting for me, having spent a lot of my career on the hardware side, to see security emerge in the requirements of the hardware teams.
—Deirdre Hanford, CSO, Synopsys
GDPR has inevitably reshaped how organisations across Europe (and the world) are approaching cybersecurity.
Around two-thirds (65%) of the CTOs, CIOs, IT managers and security managers polled think that their company has an organic and strategic approach to cybersecurity. This strategic approach is defined as one where measures are applied from the bottom up—and this is being used to meet the obligations of GDPR. …
With a holistic approach, where security is deeply integrated into IT systems during the design phase, rather than retrofitted post-deployment, organisations gain consistent and more robust data security. A consolidated security architecture, embedded into platforms and spanning an organisation’s entire IT network, is typically more effective at addressing cybersecurity incidents and assisting with GDPR compliance.
Organizations are becoming more aware of the security problem. There is an increase in the demand for software developer security training so that they’re able to build secure software from the beginning. This technology trend will grow exponentially as more organizations identify the need for security training. … Such training sessions are helpful to establish a “secure development” mindset among developers who don’t currently care about security unless the system gets compromised.
—Mahesh Kukreja, senior security consultant, Synopsys
Firms that have security integrated throughout the software delivery lifecycle are much more likely to be using DevOps practices across the enterprise. …
We found that 22 percent of the firms at the highest level of security integration have reached an advanced stage of DevOps evolution. The DevOps principles that drive good outcomes for software development—culture, automation, measurement and sharing—are the same principles that drive good security outcomes. Reliability, predictability, measurability and observability in your deployments create not just intrinsically more secure environments, but also, when combined with a strong automation practice, enable speed of response to security issues as they arise.
A strong DevOps culture also supports stronger security. A culture of sharing, where teams collaborate using common tools and work towards common goals; where delivery teams have strong autonomy, yet it’s relatively easy to cross organizational boundaries to get work done—this is a culture where security can be truly a shared responsibility, where issues can be identified early and resolved in the best possible way.
—Puppet, CircleCI, and Splunk, 2019 State of DevOps Report