As we begin to arise from our Christmas food comas, and a moment before we make sure that our liquor cabinets are stocked and the champagne is on ice, this is a great time to jot down some of our priorities for the year ahead.
If this seems like a formidable task for your eggnog-addled mind — have no fear, we’ve got this. Your friendly WhiteSource peers have come up with some New Year’s resolutions for CISOs.
Chief Information Security Officers have had quite a year: good security help is increasingly hard to find, data is piling up, and hackers lurk at every entry point. Meanwhile, DevOps, product and R&D teams race to the finish line in sprint after sprint to give customers what they want. All teams are learning the hard way that security needs to be integrated into the product and its development process yesterday — or else (when I say or else I really mean Equifax).
So, without further ado, let’s help our CISOs out with some ideas for new years resolutions that will help them ensure information security at their organization is on point at all times, keeping the stakeholders happy and the hackers at bay.
Incorporating security into the DevOps cycle is a relatively new approach, and many organizations are still struggling to ensure that security is shifted left and integrated throughout the DevOps cycle.
Security expert Michele Chubirka says in her blog that, “While many security people have a good understanding of how to find application vulnerabilities and exploit them, they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program.”
While the struggle is real, more and more enterprises and organizations are making a concerted effort to shift security practices left and incorporate them into the DevOps cycle, ensuring that security doesn’t impede time to market. According to recent DigiCert research, nearly half of the organizations surveyed said that they are in the process of integrating security with DevOps, and that the rest said that they already completed their integration.
If you are working in an organization where stakeholders and developers are resistant to the idea of DevOps and security mixing it up, Amir Gerbi, CTO of Aqua Security, lists the numerous KPIs that can convince the sceptics and late adopters. He points to important strategies like including reduction in security related tickets, reduction in security related build-time delays and failed builds, reduction in time spent resolving security issues, and more.
You can run, but you can’t hide.
The EU’s GDPR (General Data Protection Regulation) went into effect in May 2018, and it appears many companies in and out of the EU are either pretending that if they ignore it, then it won’t happen or trying to figure out where to begin.
GDPR is an updated set of rules that the European Commission created to govern the privacy and security of personal data. One of the main components is regulation of how companies process and store individuals’ personal data.
Gearing up towards GDPR compliance is certainly an organization-wide effort, with CISOs expecting plenty of late nights throughout the process. If you haven’t started establishing GDPR compliance policies throughout your organization, now would be a good time to kick it into gear.
Daniel Grabski, Executive Security Advisor at Microsoft’s Enterprise Cybersecurity Group, recommends taking the following steps when putting together a GDPR compliance strategy:
Discover—Identify what personal data you have and where it resides. This is fundamental to any good risk management practice, and is critical with the GDPR as one can only protect and manage data, as required by the GDPR, when the data is identified.
Manage— Execute on data subject requests, and govern how personal data is used and accessed. Make sure that data is only used for the purposes it was intended for and accessible only to those with a need to access it.
Protect—Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. By properly securing your data across its lifecycle, you will reduce the risk of a breach occurring. Knowing when and if a breach occurs, can help you keep the data protection authority informed.
Report—Report data breaches, and keep required documentation. Proving that you are governing data in the right way and successfully handling data subject requests is the core of compliance.
Most of today’s applications consist of 10% – 20% of proprietary code, and 80%-90% open source and third-party components. However, one out of every 16 open source download requests is for a component with a known vulnerability.
If the never-ending headlines reporting ransomware attacks and data breaches haven’t convinced your organization to be vigilant about third party software, you’re not alone. We’ve witnessed more than one organization ignoring vulnerability and patch warnings from open source and third party developers. Some of these organizations – Equifax, to name one, put millions of individuals at risk of identity theft and gravely damaged their own reputation along the way. In the months following the fiasco, we’ve witnessed a handful of organizations taking bold steps to ensure that they are not going to be the next ones to end up in the headlines for allowing a breach like this to happen to them.
But what about the rest of the software development industry?
However, the writing is on the wall and in the research results. Rik Ferguson, VP of security research for Trend Micro told Infosecurity magazine that, “Many devastating cyber attacks in 2017 leveraged known vulnerabilities that could have been prevented had they been patched beforehand. This trend will continue next year as corporate attack surfaces expand and expose more security holes.”
Security officers need to find ways to track the third party components in their products as early as possible in the DevOps cycle and make sure that they are not putting their company or their customers at risk.
Software Composition Analysis (SCA) tools can automatically analyze a software application’s source code, modules, frameworks, and libraries to audit open source and third-party software components. SCA enables organizations to identify known security vulnerabilities or licensing issues in a software project before it is released into production.
Last but definitely not least is a friendly tip from experienced WhiteSource folks:
keep your office liquor cabinet stocked with the good stuff.
Regulation, data breaches, ransomware, office politics — do your thing, we know you have it covered. A weekly CISO-hosted happy hour will help you get even the most resistant sceptics on-board, and ready to face the next security challenge by your side. Pizza doesn’t hurt, either.
From all of us at WhiteSource, have a happy and secure new year.