[BreachExchange] CISO’s Guide to Secure Software Development

[Destry Winant]

https://securityboulevard.com/2021/02/cisos-guide-to-secure-software-development/

To better protect personal data and ensure information security,
organizations should be taking advantage of vulnerability assessments
and measuring against application security benchmarks. These
application security validations and certifications ensure your
applications comply with fundamental security specifications,
including safe programming, organized design structure and secure
operations.

This CISO‘s guide to secure software development can help you
understand and follow the priorities of the specifications for
application protection and why investing in application security
programs is necessary. First, some basics.

Data Leaks and Breaches are Costly

The cost of a data breach and the necessity of application security
risk management is one of the main reasons why a secure application
strategy is a top priority for CISOs. Regardless of an organization’s
size, a data breach can have devastating consequences both
economically and on a company’s brand reputation.

Key highlights from the report that CISOs should be aware of:

- The approximate data breach cost in 2020 was US$ 3.86 million, as
per reports from Ponemon Institute and IBM.
- Hacks on Marriott and British Airways cost those companies
approximately $100 million USD due to violations of GDPR.
- The State of Ransomware 2020 report from Sophos revealed the average
amount to remediate a ransomware attack is around $733,000 USD for
companies that are attacked and don’t pay the ransom. That increases
by $144,800 USD when companies do pay.
- Organizations with dedicated incident response (IR) teams who tested
an IR plan using attack simulations saw savings of $2 million USD
versus those who didn’t invest in such measures.

5 Reasons CISOs Should Invest in Application Security

- Drowning in Cybersecurity Data
The number of sensors generating security data keeps growing,
including firewall logs, antivirus scan reports, insider threat
reports, DLP logs, vulnerability scan data, modern persistent threats,
server access logs, authentication logs and more. The variety,
velocity and volume of data can quickly overwhelm security analysts.
Automation and analytics can address this challenge.
- Reactive and Passive Approaches are not Enough
Actions like logging, alerting and monitoring are not sufficient for
security measures alone. Tools that can not only provide visibility
but react to threats or incidents in near real-time are necessary to
avoid damage. Advanced automated security operations and hands-on
threat-hunting with swift incident responses are essential to
safeguard digital assets.
- Fragmentation and Chaos
As a CISO and their team persistently react to threats, they generate
a disorganized digital mixture of HTML pages, PDF reports, XML
extracts and CSV files. These reports, files or pages are tough to
integrate, analyze and integrate into applications and strategies for
generating automated responses.
The Shift from Discrete Security Events to Uninterrupted Security
The cloud and DevOps are increasingly enabling code deployments and
facilitating dynamic environments that confront the conventional
“certify once and monitor forever” waterfall security model. Modern
applications and infrastructure and IT environments necessitate a
proactive, dynamic and advanced security approach. Security-as-code is
the only methodology that can scale and react on a real-time basis.
- Data from Multiple Sources
CISOs possess two distinct sets of dashboards: one for internal and
the other for external stakeholders. However, both these dashboards
must operate based on the same underlying data sets. But this is not
always the case; from simple spreadsheets to advanced BI tools, CISOs
have data streaming in from multiple sources, making it difficult and
complicated to secure necessary information and show analytical
dashboards to the rest of the C-suite.

How to Build a Secure Application Strategy

- Create an Application Security Culture
A highly secure application security strategy starts at the top and
then flow down through the entire organization. The C-suite must
commit to security measures and emphasize that they are a top
priority. Both management, technical employees and non-technical
personnel must be trained on the significance of application security
and follow best practices.
- Take a DevSecOps approach
This specific approach enables security in all the steps and stages of
the application development process, with a mutual understanding
between security and development teams. A collaborative and
interactive working relationship will result in more secure outcomes.
- Conduct All-Inclusive AppSec Testing
Test extensively using a wide variety of testing tools, including
dynamic and static application security testing, interactive
application security testing and software composition analysis tools.
The most comprehensive method uses manual testing in combination with
automated testing and threat modeling.
- Use an Application Vulnerability Manager
An application vulnerability manager enables development and security
professional teams to integrate fixes based on the outcomes of
previous AppSec testing and facilitate updates more effectively. This
method correlates the outcomes from various testing applications and
provides the results in a well-structured report. It cross-references
outcomes and results through SAST and DAST tools and assists in
prioritizing which vulnerabilities pose the most severe threats to
your company so you can patch and update accordingly. Some tools will
incorporate developer environments, making it simple for security and
development teams to work together to deal with possible threats.
- Avoid Speed Traps
The pressure to develop applications faster is increasing, and
developers must avoid ignoring security to meet deadlines. Focus on
the significance of application security for enterprise success in the
long term, even if it means slowing some development processes.
- Create a Formal AppSec Plan
Create and follow a standardized application security plan. Your
strategy and tactics should be well-documented and include tools to
track, monitor and address security challenges and all organizational
benchmarks that are linked to application security. Regularly revisit
the plan to ensure it stays relevant and up to date.

Developing and following a strategy, use of the right tools and
ensuring your entire organization is committed to application security
can reduce the chances of a data breach, safeguard the bottom line and
protect your business’s reputation.