Does your organization have a cyber security policy in place? Can you name three practices that you and your team observe as part of this policy? Results from an IBM Security study show that while 65% of C-suite executives are highly confident that their cyber security plans are well established, only 17% are actually demonstrating the highest degree of preparation. Reality check much?
If so many executives believe that they are doing their best to keep their organizations safe and cyber secure, how come only a reported 17% of organizations are cyber secure? I think all of us have experienced the gap between the known need for application security standards - arising from compliance regulation or evolving cybercrime threats - and the actual DevSecOps practices put in place and upheld day to day, by individuals and departments.
Back to the study: results also show that one of the key differences between the top cybersecure organizations from the rest is having a CISO. The need for cybersecurity professionals has indeed been growing over the past few years. As industries turn to cyber security officers and put increasing weight on their shoulders, we thought that this week we’d give the guardians of our organizations’ cyber protection a hand, and put together a list of solid application security practices that we’re not sure everyone’s using.
#1 Data Protection
The rise of ransomware attacks is creating a growing need for data protection: organizations should include an air-tight back up strategy as part of their comprehensive Incident Response plan, to put in place if data sources and repositories are compromised. Ransomware can access and encrypt your data. To contain and remediate these types of attacks, data should be stored and backed-up in secured locations.
#2 Open Source Security Management
As open source software usage continues to grow across organizations of all shapes and sizes, it appears that open source security management is not always keeping up: I was recently told by a senior developer in a large software company that he relies on open source code regularly, and has no idea if or how his usage of open source components is tracked as part of his organizations DevSecOps cycle.
Open source security management is extremely important, and integrating automated open source security management tools to the earliest stages of your software development lifecycle will keep both your organization’s software engineering and security teams happy.
#3 Share Incident Data
Speaking of open source: we might want to take a page out of the open source community’s collaborative practices. According to the IBM Security study, cyber secure organizations collaborate more with external parties. They share incident data with vendors, partners, third-party security services firms and even industry competitors. Data about vulnerabilities is growing rapidly – in the open source community and everywhere else. When organizations and experts share their post-incident data and knowledge, they all gain tools to become stronger in the face of these cyber security threats.
#4 Automate Security Checks Throughout the DevOps Cycle
Automated security tests can include: functional security tests, specific non-functional tests against known weaknesses, security application and infrastructure scanning, and security testing application logic. Beyond improved safety, automation of security tasks and integration of DevSecOps tools will also help to streamline your teams’ workflows, prioritize threats based on business criticality, and reduce time to threat detection and response.
#5 Assign Points of Contact
When it comes to a security breach: do you really have time to sit around and wonder whose job it is to protect and remediate? Research shows that in many organizations there is a distinct disconnect between IT decision makers, DevOps teams, and C-suite members. Many of us think of a cyber security officer and are reminded of the hassle of compliance to new or updated standards. However, cyber security and application security are not the responsibility of an individual or a small team in your organization, and no single team can address software security throughout its entire DevOps lifecycle.
That’s why it’s important that there is at least one appointed representative in every department that is in contact with the organization’s security officer. They will work with your CISO to create a policy that doesn’t harm your work-plan or business objectives, and does make sure you don’t spend a lot of time and money on last minute patches and fixes to ensure application security.