Customers are demanding software products that are secure and trustworthy. 62% of respondents in a Ponemon Institute study confirmed that they have lost sales when they were unable to adequately address customers’ product security concerns. In addition, new regulations keep pouring in, mandating various aspects of a robust product security program. However, according to the same study, only 10% of the respondents felt that they had a highly effective program to build secure products for their customers. Organizations are struggling to meet marketplace product security expectations.
Before spending heavily on automation and transparency, organizations need to solve for the following fundamentals:
1. Building a collaborative partnership between security and product development teams
2. Creating synergies by establishing a holistic software supply chain focus
3. Aligning on a common set of foundational objectives to drive a balanced security program
Collaborate to build secure products
Organizations face the natural conflict between deployment velocity for delivering features to the market and the need to simultaneously address additional non-functional security requirements. It must be a leadership’s priority to proactively foster a culture of partnering to attain common goals, as better collaboration yields faster, more secure, and measurable results.
Have a development mindset” is a guiding principle of a product security team (including AppSec) for a large technology platform provider as they set out to enhance security partnerships with the development teams. This means a focus on listening, enablement, and continuous support.
As part of that mindset, they started with 3 initiatives:
Start with the “why”: It was important to share the purpose and context of product security with the development team. This included complying with industry regulations, meeting customer requirements, protecting the company’s reputation and measuring security’s impact on the bottom line. This was done as part of an in-person and virtual roadshow with product development teams.
Understand developer needs: As the security team spent time with the developers, many developers shared their desire to learn the fundamentals of product security, including the ability to do basic threat models and for continuous mentoring in building secure products. This led to a targeted training curriculum, use of IDE tools for secure coding and launch of a formal champions program.
Continuous enablement: To encourage open communication and collaboration between the security and development teams, an ongoing education and mentoring program was rolled out. These included topic specific office hours, monthly brown bags, and periodic meetings with developers to discuss targeted product security challenges.
Organizations need to ensure that development and security teams stand together from the start of all software and product development projects. Organizations must take a top-down and bottom-up approach to make this work successfully.
Holistic Software Supply Chain focus
“We’re all part of a supply chain – most of us are in the middle.”
– Joshua Corman (Former Chief Strategist CISA)
A holistic approach to software supply chain security requires considering all aspects of the software acquisition, development, integration, and distribution processes. This includes assessing third-party software (and vendors, as well), understanding open-source dependencies, securing the development environment, securing code repositories, and securing the infrastructure used to distribute and deploy software.
One driver for this approach is U.S. Executive Order 14028 which has created prescriptive transparency requirements for software producers. Organizations delivering software (developed or modified after September 14th, 2022) to U.S. federal agencies, are required to attest to conformity with the secure development practices outlined in NIST Secure Software Development Framework (SSDF), SP 800- 218 and NIST Software Supply Chain Security Guidance.
Align on foundational secure development controls
During a 2022 Wall Street Journal Cybersecurity forum, Mike Hanley (CSO GitHub) mentioned that “most organization don’t master the basics”. That has also been a recurring theme in the Verizon Data Breach Investigation Report for the last few years.
However, organizations are getting overwhelmed with hundreds of controls that they must sift through across multiple frameworks. As product and security teams are getting stretched to implement ever-growing set of controls, foundational activities like software inventory, secure SDLC policies, security requirements definition, MFA, open-source governance, and development enablement capabilities are often either missing or poorly implemented.
Organizations need to collaboratively organize around a minimal set of security objectives (e.g., MFA for all administrative access to source code), then prioritize and document the controls that serve as a minimal bar across all product groups based on an agreed-upon risk appetite. That minimal bar also enables the security team to develop deep capabilities in those areas that development teams can then leverage.
While defining objectives and developing your minimal requirements keep in mind that malicious actors are exploiting weaknesses at every stage in the software procurement, development, integration, and delivery life cycle. These attacks include everything from injecting malicious code into open-source packages to installing back doors in post-deployment software updates. Therefore, it is important to build a foundation across all these stages.
In conclusion, building a strong foundation in product security through culture, holistic focus, and the right foundational controls is critical to ensuring the success and protection of technology-based products. Organizations must prioritize these fundamentals to create a secure and robust product security posture.