Skip to main content

Achieving Security by Design is a question of accountability

The software industry is no longer functional. Last year alone saw over 28,000 new CVEs published, a record rise that perfectly illustrates the ongoing patching crisis facing security and development teams, which are under constant pressure to patch vulnerabilities or risk exposure. In the last 12 months, software vulnerabilities led to over 50 percent of organizations suffering 8 or more breaches. The same survey found that only 11 percent believe that they patch effectively and in a timely manner. This dilemma is the result of a software industry that is far too comfortable releasing insecure applications to end-users. Software vendors have long prioritized speed to market, with security becoming an afterthought addressed through updates and patches, and we can no longer accept it.

Security leaders, regulators, and the industry itself must embrace a higher security standard, holding software vendors and developers to a higher standard of security from the outset, truly embracing secure by design principles, clearer disclosure and faster remediation of vulnerabilities, and more regular and rigorous security testing of applications, even after their release.  

So, whose responsibility is it?

This crisis is perpetuated by the well-publicized security skills gap. In fact, 47 percent of organizations blame their challenges remediating vulnerabilities in production on a lack of qualified personnel – showing that even within the software development lifecycle (SDLC), there is an unfairly spread security burden. In large organizations, though, resources should not be an accepted explanation for poor security standards. End users with tight security budgets and smaller teams should never have to shoulder the security shortfalls of a solution that they’ve paid for and expected to be trustworthy. 

But competing aggressively to acquire talent from the limited pool with security expertise is not the only solution: the shift left and shift everywhere movements have long emphasized the importance of security skills across the SLDC, even within development teams. 

With many developers now turning to AI code to increase efficiency even further, it is critical that they are also equipped with the secure coding knowledge to thoroughly assess the output for security risks. Fostering the security skills of their developers is a critical way for large software vendors to reduce the number of vulnerabilities in production while showing a real commitment to improving the security of the applications they release. 

Moving beyond ticking boxes

Developing a security-centric mindset within all software vendors will be crucial to overcoming today’s patching crisis. There is often a disconnect between security and development teams, with the goal of security often appearing to be at odds with competitive success. Driving a culture of shared responsibility would help establish accountability in all departments and stages of the SDLC, without penalizing organizations who prioritize security over speed to market. 

Well-trained and knowledgeable development teams and project managers are the foundation of this change. The unfortunate reality is that many organizations don’t see security training for developers as a priority, with 68 percent only providing secure coding training for the purposes of compliance or in the event of an exploit. The urge to create code faster than ever often means that developers’ schedules cannot account for even small sessions of secure coding training, so organizations train only when they have to. Checking the box for compliance is easy but it doesn’t build a security-centric culture, opening the door for complacency, oversight, and poor retention from secure code training sessions when they do happen. 

The industry as a whole is severely lacking in the prevalence, frequency, and quality of training. Software vendors need to understand that software security is a central concern for their customers, one that justifies continuous training and allots time for rigorous code reviews. 

Proactivity is always the answer

Building a comprehensive and proactive approach to software security can help organizations mitigate security risks when software vendors fail. A concerning 55 percent of security leaders report that a misalignment between development, compliance, and security teams causes delays in patching. In giant tech corporations, this misalignment is heightened. By taking a proactive approach that assesses and responds to CVEs based on risk prioritization, organizations can realign their teams with clear patching protocols. 

In a threat landscape where reactive methods are no longer sufficient, investing in education and detection is crucial. When developing in-house applications or configurations, developers should be capable of sniffing out any code that could potentially give threat actors a foothold into their networks. Although it is the responsibility of software vendors to release secure applications, many vulnerabilities arise from misconfigurations when software is uploaded onto a new or existing system. It is absolutely crucial that in-house developers have the proper education and skills to ensure that applications are configured and used as designed, scanning regularly for new vulnerabilities before a bad actor can exploit them. 

The current patching crisis is the result of the rapid innovations that are happening in the industry today, and this is not an inherently bad thing. But as customers and regulators come to expect higher standards of software security, organizations can help themselves to meet the patching crisis head on by embracing “security by design” principles and proactive patch management strategies   in their own internal teams. 

The post Achieving Security by Design is a question of accountability appeared first on SD Times.



from SD Times https://ift.tt/8ipYlHw

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20