[BreachExchange] Effective Data Security Is A Team Effort

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 29 15:01:16 EDT 2018


https://www.cybersecurityintelligence.com/blog/effective-data-security-
is-a-team-effort-3496.html

Effective data security is a fundamental requirement for every business
today. In the past, the responsibility for achieving it was often laid
firmly at the door of the IT team, but today, data security requires close
communication between many different internal teams.

The central tenet of any effective security program is the ability to
communicate up and down the command chain quickly and effectively, but this
isn’t always easy to achieve.

With more and more business taking place online, vulnerabilities in web
applications are becoming increasingly problematic. The ability to identify
and resolve issues fast can make the difference between keeping attackers
out and potentially suffering significant data loss. Yet all too often, it
is issues between parties within the command chain that slows down response
times and prevents efficient security practices.

According to recent research, the average time it takes for critical
website vulnerabilities to be found and remediated is 300 days, meaning the
window for exploitation is significant.

Closing these windows as fast as possible should be a top priority for
every business, so how can the three key parties within the app security
command chain (security professionals, senior leadership and DevOps) work
together to speed up the security process and protect the organisation more
effectively?

Security Professionals
The benefits of any application security program being fully realised
without the direct involvement of the application development team is
extremely low.  Security professionals have the unique opportunity to
evolve the application security program by balancing risk, organisational
maturity and business goals.

Security data and analytics should be a security professional's best tools
to drive and eventually evidence overall improvement in an organisations
application security posture.
Using industry remediation rates as a baseline for improvement is a good
way to enhance an organisation’s security posture, but it can be easier
said than done. Few security professionals have the authority or power to
directly influence the security of web applications under development in
the DevOps team.

As such, they need to skillfully position themselves as key development
partners, using their knowledge of security analytics to add value to the
process. Effectively doing so will allow them to ‘influence without
authority.’

At the other end of the chain, it’s critical for security professionals to
also keep the senior leadership team abreast of key events and developments
taking place. Doing so will help to minimise any pressure from executives
that feel out of the loop, while ensuring any pre-agreed timetables are met.

Senior leadership
Senior leadership teams across all industries must accept the fact that the
clear majority of their business applications are at some degree of risk.
Despite this, many still weigh up security as a risk vs cost exercise.

If the perceived cost of finding and addressing a vulnerability is too
high, they will often choose not to. This can be spectacularly
shortsighted, particularly when the cost of reputational damage and data
loss is factored into the equation.
Members of the senior leadership are ideally placed to change the way an
organization’s DevOps and security teams approach software. Whether
outsourced, purchased or developed in-house, nearly every piece of software
is typically introduced with functionality and time-to-market as the top
priorities.

But if teams aren’t given the time they need to integrate new software
properly, chances are they will end up introducing new security flaws at
the same rate as older ones are being rectified; not an ideal situation.

If executives want to truly understand and protect against the security
threats faced, they must invest the time needed to get to grips with their
entire application landscape.

Analytics can be used to help identify and prioritise the most business
critical applications. Next, they must ensure the organisation’s security
professionals have the tools they need to find vulnerabilities, while
making sure development teams are held accountable for application security
before they’re allowed to disengage from projects.

DevOps
When it comes to application security, the DevOps team have the hardest job
of all. Actionable vulnerability data is rarely available during actual
development cycles, meaning many security flaws only surface once an
application has already gone live.

Furthermore, due to time constraints imposed by senior leadership, DevOps
teams are often confined to conducting security assessments at the last
minute, just prior to release, which is far too late in the day to be
effective.

DevOps teams need to work closely with security professionals and senior
leadership to build security into the entire development lifecycle. Moving
to a continuous integration process can help with this, as can the use of
both dynamic scanning and source scanning throughout the development and
implementation phases. It’s also the role of DevOps to demonstrate to
senior leadership that a slightly longer development phase is far more
preferable to repeating the entire process multiple times due to
vulnerabilities only being discovered after release. However, this is only
possible if both DevOps and security professionals can communicate
effectively up the chain of command, without fear.

Delivering effective app security in today’s business environment can be
extremely challenging. In order to achieve it, teamwork and communication
throughout the command chain are both critical, so that the different
groups involved can understand the various challenges and drivers faced at
each level.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180629/cf14a88b/attachment.html>


More information about the BreachExchange mailing list