Security must move to the engineering and development teams. Become best friends, coffee mates, and/or CrossFit buddies with those in engineering and new product development.
Application vulnerabilities account for the vast majority of security issues within organizations in 2016, and that statistic will only increase. Given this fact, security must move to the engineering and development teams. Not only is this an area that’ll provide high returns from a threat perspective, but additionally, having security live with engineering/development teams will most likely improve the resilience of applications when attacked in the wild. Two popular misconceptions in this sphere surround training your team and identifying who your customers are, and we need to break these first before being successful.
To note, you cannot train engineers to have the full capability to contemplate, prioritize, ideate, create, and execute all aspects of cybersecurity from start to finish -- just as you cannot train yourself to code and create the latest product for your company using Amazon’s IOT platform. You must team together, and it is you, the Cybersecurity professional’s responsibility, not the engineer’s job, to make it effective and sustainable. In this situation, internal developer/engineers and the buyers/consumers of your products are YOUR customers.
Here are two practical areas that are effective and battle tested:
How to engage successfully
First, you and your cybersecurity team must adopt a mindset of “yes, X can be done … here are the constraints.” This requires a drift from having pre-baked solutions to embracing a more creative and artistic approach to security. Sharing the “why” with the engineers and allowing a collaboration to determine the “what” will deliver the most effective solutions and will be effective at mitigating a risk. If we reframe this to a common conversation about our spouse desiring to run a marathon, do we say, “NO, you never ran a marathon before, you never will,” or do we say, “Of course you can complete a marathon! Here is what we need to do. One, get your nutrition right. Two, start a training program…”
Leave your policies at home. In fact, leave any high-level documentation at home (seriously). You are the cybersecurity professional and therefore can see the forest and the trees, but the engineering teams need more specificity than “protect PHI.” This is your chance to help.
Revisiting our marathon runner -- at mile 16 would you yell at your husband running and say, “Did you know the macronutrients you need is dependent upon your oxidative system?” or would you say, “Here, eat this banana so you can cross the finish line and set a personal record”? Useful, specific, actionable, and adaptive guidance from cybersecurity professionals for the product teams is key to meeting customer requirements.
While the road to a complete application security portfolio strategy is complex and varied -- given customer platforms, development methodologies, technology integrations, and human tendencies -- there are a few immediate, tactical efforts you can lead at any level in the organization and move the proverbial needle. These actions center on converting your standards to match the product delivery model as well as codifying security practices into the product cycle.
Conversion of standards
Be honest, when was the last time you refreshed the standards and cybersecurity programs for your team, business, or enterprise? Not simply updated a few key points, but really challenged it? Now compare that to how much your technology, products, and operating environment has changed. If the delta is large, now would be a good time to revisit.
Key areas to consider in your standards must address the highly-dependent nature of software engineering, cloud deployments, and the complexity around autonomous and adaptive infrastructures. Each of these introduces new technologies, new third parties, and a twist on the risks that can occur. It only takes one AWS outage for anyone to realize that one of their 50+ software components are not resilient enough.
Engineering cybersecurity through automation and scalability
Push cybersecurity practices into engineering. Write the code, do the security checks, and complete the compliance verifications at scale leveraging the tools within the development pipeline. This ensures you solve one security problem the moment you identify, triage, and resolve it. Imagine if your vulnerability scanners only had unique findings -- that is the standard and target we must aim for within application security. (In our standard, “unique findings” are faults in code that we detect -> develop automated desktop security check -> all such faults are fixed before being merged into the build)
This involves a rich partnership, a strategy, and engineers to help code the improvements into the development pipeline. A nice reality is that the heavy lifting is generally done here -- you just need to help simplify it with the teams.
These are but a few key methods that create a core and center to accelerating the effectiveness of cybersecurity across an enterprise's application portfolio. Product development and cybersecurity are not opposing forces, but instead seek the same result -- happy customers. Be the first to act, the first to compliment, the first to say hello, and the first to offer help, and you are on your way.