US government agencies and industry are under attack from cybercriminals and nation states that engage in espionage, steal data, and distribute ransomware. In fact, recently several government agencies issued a warning regarding the BlackMatter ransomware targeting the US food and agriculture industries. Increasingly, bad guys are targeting software supply chains – software development and software update processes – to amplify the explosion radius of their attacks. We saw this with the SolarWinds hack and more recently the Codecov software testing platform and remote management software vendor Kaseya. Software supply chain attacks will continue to be successful as long as the divide between software development teams and information security teams persists. Until these two departments agree on common goals, attacks targeting software vulnerabilities will continue to wreak havoc.
InfoSec and software development misalignment give attackers an advantage
Information security and software development have different and competing goals. The two teams have been at odds about this for many years, but the problem has become more acute as more businesses become digital businesses and applications permeate every aspect of our lives. Developers write the software and oversee the processes they use to guide it through the development process. They want to develop quickly. They therefore use open source and code copied from other projects. Information security teams are architects and perform security operations. They are encouraged to ensure that vulnerabilities are found and eliminated.
Security takes time in the development cycle and interferes with a developer’s ability to work quickly. These opposing goals have created antagonisms within organizations, leaving security underestimated. The problem is further exacerbated by the fact that none of the departments can agree on who should be responsible for the security of the organization’s software creation process. A recent Venafi survey of over 1,000 security and development professionals found that 58% of security respondents said it should be their responsibility, 53% of developers claimed ownership and only 8% said the responsibility should be shared.
Businesses attribute successful cyber attacks to buggy software, but the real culprit is smart, motivated adversaries who understand the organizational weaknesses of their targets. The bad guys exploit this dynamic. This internal conflict within organizations around the world thrills attackers who recognize organizational weakness and exploit it.
Opponents spend 100% of their time thinking about how to attack and compromise developer’s software and processes, but developers don’t spend a lot of time thinking about the bad guy. Developers are not trained to think about attacks: their priority is to meet deadlines. However, developers should take greater responsibility for securing code and the code development process, as only they understand it and are responsible for its integrity, which includes security.
Safety, once an afterthought, now a top priority for CEOs
Security in general is an afterthought, especially when it comes to software development. For the most part, executives see security as an additional task that must be taken care of. The problem is that the new attack is directed against the software during its development. If developing software is successfully compromised and goes undetected, cybercriminals have widespread and difficult-to-detect access to the data and networks of organizations and their customers.
Responsibility starts at the top. The CEO is responsible for aligning the development organization and the security team around common goals. Why the CEO? Modern organization is software. Software development occurs in every business unit and in every function. The software offers a competitive advantage. Only the CEO has the right perspective to align security and development goals across the organization.
So how do you fix it? Companies must align these two departments with a common goal of fostering rapid development that integrates security throughout the software development lifecycle. Here are some recommendations on how to do this.
CEO is leading the charge
DevSecOps is just an empty phrase if it doesn’t have a clear direction from the top. The reason the security-development alliance has failed in so many organizations is that it has been treated as a ‘good to have’ instead of a ‘must have’. CEOs need to send a clear message across the company and across the chain of command that development and security are needed to work together on the common goal of quickly building secure software as part of their mission. .
Responsibility for “fastsecure”
The CEO must accelerate and prioritize a new “fastsecure” approach that aligns development and information security with a common mission. The CEO can stand in for one of the top executives to hold teams accountable for working together to reduce security concerns while enabling rapid development. It is possible to have rapid development and secure development simultaneously, and that is the purpose of this initiative. The fastsecure leader will set a unified goal, foster a culture that embodies fastsecure, create a plan for success, and establish metrics to show progress. In the past, CISOs have been fired or replaced for data breaches. It’s time for C-level executives to see the same urgency for problems due to insecure software.
Eliminate confusion with shared responsibility
As the Venafi investigation revealed, there is no agreement on who is responsible for secure software. Even 55% of the members of the management team disagree on which team is responsible. This leads to confusion and allows efforts to improve software security to slip through the cracks. Both teams should be equally responsible for the software security efforts and the incentives for both teams should be aligned and even. Both teams should be equally responsible for rapid development. The mandate in my company is that Infosec is always able to identify how a change to make something more secure actually increases the speed of the organization. At the same time, whatever development does to accelerate software development must simultaneously increase security.
The biggest new strategies and markets result from the merging of two attributes that seemingly at odds. An example is found in the automotive industry. There were two categories: luxury and performance. Luxury cars were like boats, charged poorly, accelerated slowly, and weren’t fun to drive, but they were comfortable. Performance cars were uncomfortable, but they turned well, were quick and fun to drive. A Japanese automaker once combined luxury and performance into one car that was both fun to drive and luxurious. They have conquered significant market shares and today most cars combine comfort and performance. We have this opportunity right now to take a new approach to software development. We have to do it, or the attackers will keep the advantage.