How to Account for Cybercrime When Developing New Products
This is a guest article by tech writer Oren Rofman
As technology has increased in sophistication, so too has cybercrime. While private cloud servers may be the most commonly discussed targets nowadays, software products are in the line of fire as well.
One prominent example was the hack that Instagram suffered in 2019, where user passwords were displayed in the web app’s URL due to bugs in the platform’s code. Although Instagram didn’t provide any information, there is anecdotal evidence suggesting that hackers used AI bots to scan user data for vulnerabilities. In the cyber arms race, AI is also, of course, being used to detect and stop attacks.
Today’s competitive business environment, meanwhile, has caused companies to pivot to continuous delivery models. Agile methodologies allow companies to develop better products in shorter cycles, but they also pose significant challenges from a cybersecurity perspective. Companies need to be proactive and reorient their security postures accordingly.
Here are four steps organizations can take right now to secure their new product development processes.
Develop Resilience Strategies
Cyber resilience is the measure of an organization’s ability to get back up and running after an attack. A resilience strategy is essential because no security solution offers complete immunity from threats. Adopting a pragmatic approach and preparing for the worst will help your organization avoid catastrophic losses.
Preparation is the key to building resilience. Ensure data backups are in place and that these data are regularly available, regardless of the level of disruption you may eventually face. Training employees and making sure they’re following the best cybersecurity practices is a huge part of the preparation as well. Evaluate your organization’s training and security programs. Instead of raising awareness of threats, the focus of these programs needs to be on changing employee behavior.
Operations and development team employees aren’t the only ones who need education. Security team employees also must understand the importance of agile delivery models. Educate them about the tools used by various functional groups throughout the SDLC and encourage them to develop security use cases that correspond to development challenges.
Security and development teams should become partners and stop working as separate silos to realize the power of agile deployment. Delivering consistent messaging about cybersecurity throughout the organization, creating champion programs that put developers in touch with security employees, and developing collaborative training programs are great initiatives to consider.
On the technical side, implement AI-driven solutions to power your security. These solutions bring predictive modeling to your security programs and can enhance your ability to stay safe. Perhaps the best use of AI is to pair it with existing automated security processes and use machine intelligence to drive decisions. Team leaders can begin by trialing a few use cases and then expand once they’ve measured and verified results. Give operations and developer teams time to adjust to the new processes and increase the scope of the new process gradually.
For example, you might start by using AI to detect abnormal patterns in identity verification processes. Stealing insider identities is a common tactic employed by cybercriminals. Deep learning algorithms can quickly detect behavioral anomalies and initiate backups before widespread damage occurs.
To build true resilience, organizations need to invest in automation at every stage of the software development lifecycle (SDLC). These automated programs ought to integrate with teams’ existing automated processes. A team that uses a continuous integration or continuous deployment pipeline will need these security tests integrated into them.
Combining these technical tools with a shift in security culture will help your organization create an environment that can react quickly if an attack occurs.
Use Ethical Hackers
One of the biggest advantages of using AI-driven security programs is that organizations can leverage their predictive abilities. There aren’t many solutions right now that offer these abilities, and many organizations may find them tough to integrate into their existing solutions.
There is, however, a completely human-driven way of replicating their behavior. As recently as five years ago, the word “hacker” would have sent shivers through organizations’ security personnel. These days, ethical hackers have become a part of the security infrastructure. Leading companies such as Verizon and Uber routinely turn to the ethical hacker community to detect security vulnerabilities.
These companies are isolated examples among many that offer bug bounties with prizes that range from five to seven figures. Organizations can also hire dedicated service companies such as Synack, Bugcrowd, and HackerOne to detect vulnerabilities. Such solutions might sound unconventional, but fast-paced release environments require such solutions. They help developers understand the importance of delivering solutions without unknowingly compromising the organization’s security.
Ethical hacking companies can also be contracted to build automated security sandboxes for development teams in partnership with the cybersecurity team. These solutions can allow developers to deploy their code and test it for vulnerabilities without active security team intervention.
As long as security standards and practices are defined, these sandboxes will aid developers in deploying code according to the demands of their Agile framework. They’ll also help underscore the importance of considering security during development and will make security an integral part of the SDLC.
Use Pre-Vetted Code Templates and Building Blocks
Given the amounts of data present in modern-day businesses, security teams can create standard templates of code that adhere to security standards. Developers can copy and paste these templates when beginning a project. Doing this eliminates the possibility of a developer ignoring security standards.
These templates can also be used to create telemetry that provides feedback to developers and empowers them to meet security standards. Standardizing code templates allows security teams to view telemetry across the entire organization and compile it into better reports for the CISO and CIO to review.
Beyond code templates created by security teams, developers can work with security teams to identify code repositories that have been vetted for their security features. This reduces the burden on engineering teams having to create code for new projects, reduces the friction mid-production security evaluations, and leverages existing community knowledge to build faster development cycles.
In a similar vein, companies can turn to embeddable third-party components that can integrate with their existing applications and license white-label-friendly API libraries and SDKs. The “buy instead of build” approach allows companies to leverage the expertise of niche-specific software providers and to integrate their apps into a seamless agile workflow, without the need for in-house teams to ensure security compliance.
Implement Agile Security Models
One recent survey by KPMG found that most CEOs rate cybersecurity as their organization’s second-highest risk to future growth. However, most CEOs don’t work closely with their CISOs to implement security processes. To support continuous delivery models, CISOs need to have greater freedom to implement new security solutions and tailor them to enhance the product to market fit.
Traditional cybersecurity involvement in projects is infrequent and heavy. There are typically a few points throughout the project where the production and security teams meet with one another and conduct security audits. In an agile release environment, such practices have very little use. Instead of the infrequent and heavy model, a frequent and light model needs to be implemented.
Security teams should be embedded in the design and application stage, and automated testing tools need to be used before merging code. The biggest challenge of this model is that the skillset of the traditional security professional is ill-suited for this task.
Most security professionals lack a development team background, and this causes them to interact with these teams in a heavy-handed and gated manner.
Some organizations are reacting to this challenge by promoting employees with development backgrounds to the CISO role and educating their developers in security practices. Change begins by redefining the CISO’s role and bringing them closer to the CIO. The CISO needs to define security solutions and processes that enhance the organization’s goals.
Championing security as a way of developing better solutions for customers is a great way to begin. Doing this will help push security up the priority list of development teams and will reduce the friction between them and employees in security roles. The traditional silos in which development and security teams have worked need to be broken down for cybersecurity to adapt to the continuous release environment.
Security must adapt to the changing technological needs of continuous delivery as well. Infrastructure such as cloud storage, containers, and VMs come with their own needs. Security teams should understand that product value always comes first, and security needs to adapt to remain relevant. Embracing the new technology and automating as many security processes as possible will help them remain up to speed in a shifting environment.
The key is for the CEO, CIO, and CISO to start having conversations about the state of their KPIs and whether they’re still relevant to their deployment methodologies. Security needs to be a part of innovation – not a hurdle that has to be cleared.
Agile Deployment Demands Agile Security
There’s no doubt that securing an agile deployment process is challenging. However, by focusing on integrating security throughout the SDLC process, organizations can ensure that their product is both secure and provides great solutions to their customers.
With consumers becoming more conscious of security as the days go by, organizations must consider the role security plays in product development and integrate it across all of their processes.
A Tel Aviv native, Oren Rofman is a veteran of the Silicon Wadi tech ecosystem and an expert in information technology, blockchain, big data and cloud security.
Want to write an article for our blog? Read our requirements and guidelines to become a contributor.