Of all of the themes presented at this year's Interop Digital 2021 conference on cybersecurity's changing role in IT, none was more pervasive than the theme of integrating security into every stage of the development process and making cybersecurity planning a priority through the organization.
Elena Kvochko, chief trust officer of SAP and the event's keynote speaker, started the day off with an overview of the current state of cybersecurity. She noted that despite technological advances, most organizations still aren't prepared for a large-scale cybersecurity attack. Part of the reason is the pivot to remote work, which created new dynamics between IT and security organizations and created new attack targets; cybersecurity planning has not caught up to the realities of remote and hybrid IT environments.
Part of the solution is better collaboration and information-sharing between security organizations, IT organizations, and between companies and external organizations, Kvochko said at Interop 2021. She stressed the need for greater clarity on what should be trusted, valuable and actionable. She also discussed the need for developing cybersecurity planning strategies that establish governance, policy frameworks and reliable controls, and finding ways to ensure that they are adhered to.
At the same time, Kvochko noted that new attack risks also present an opportunity for organizations to develop more secure applications and environments. That means developing tools, services, platforms and capabilities to facilitate the development of secure products. The goal is to provide developers with the tools they need to build products that are secure from the start and rely on security-by-design standards. This will allow organizations to respond quickly to cyberattacks, vulnerabilities, and incidents, she added.
Later in the day, a group of panelists at Interop 2021 expanded on this topic, discussing the best ways to build cybersecurity planning into the application development process. Stephen Gates, security evangelist and senior solution specialist at Checkmarx, started off the discussion by talking about his aversion to the term "Shift Left." The reason, he said, is that DevOps is actually a Figure 8 infinity loop, which means that application security testing and tooling should be embedded throughout the software development process.
"Today, I'd rather say 'Shift Center,' because we're embedding the tools right into what the developer is using," he said. "Putting the tools right where developers like to work most makes a lot of sense."
Incorporating cybersecurity planning into the application development process isn't an easy thing to do, but off-the-shelf tooling can ease the pain. The decision of how much security tooling developers should buy versus how much they should build is a big part of that discussion. In general, application security vendors are creating very usable, plug-and-play self-service tools for integration into development pipelines. Sometimes, developers may choose to go for these self-service platforms because of staffing shortages or time constraints. But there are plenty of times when that approach to application development security may not make sense. It's a complicated process that's not one-size-fits-all.
"It's about developers having everything they need when they need it at the touch of their fingertips, with tools that are developer-friendly," said Kristen Bell, senior manager for AppSec engineering at GuidePoint Security. "If we're slowing them down, if the tools are noisy or not working for them, they get a very bad taste in their mouth very quickly."
Building security into the development process also requires a culture shift that includes truly listening to your developers. Many organizations have disparate development groups, which makes it harder for decision-makers to understand the priority of security-first development.
"Typically, [the security community] has been a culture of 'no,'" said Brad Causey, a principal at Zero Day Consulting at Interop 2021. "At the end of the day, we're not a profit center. Developers are the ones who are producing the products that make the company's money, or at least supporting the company. So we need to change our role to support developers to be more successful."
It also works the other way – with developers convincing leadership to understand that building security into the development process is a priority, Bell said. "It gives developers a voice at the table and allows them to learn from each other, because those groups are going be in varying levels of maturity across the board. And it gives them a way to take all that information back and extend resources to teach their teams what they are learning in that group."
The group also discussed common mistakes that developers make in security testing, such as using default queries instead of tuning them to meet your needs and understanding the challenges and opportunities of open source. One of the most important things, Causey says, is to find ways to identify and mitigate vulnerabilities as early as possible in the development process. It's also important to prioritize vulnerabilities by understanding the risk profile of applications, and then work to remediate things by order of importance. One way to do that is by coming up with a risk rating criteria, Bell said.
Causey noted that training developers to treat security as central also is extremely important. Training should be on-the-job, focusing on short, specific examples and training that is context-specific. "Everyone can go to Google to find out how to fix a SQL Injection flaw, but if you can look at code example from your peers on how they fix that same flaw, then that becomes context-specific and useful and relevant to you."
Context is critical when it comes to training, Gates agreed.
"If you run a scan and see a vulnerability to questionable code, you want to be able to jump to a gaming or gamified interactive lesson that teaches exactly what happened with their code, how it can be exploited and how to go back and remedy it quickly," he said.