Software is still not up to scratch security-wise because software builders care more about functionality than security. It is up to security experts to make people care, which can be a challenge, because different teams within an organisation have different goals.
So said April Wright, senior manager: Information Security and Compliance at Verizon, during her keynote address at the ITWeb Security Summit 2018, at Vodacom World in Midrand yesterday.
A new paradigm
Outlining a new paradigm for integrating developers with offensive and defensive teams to enhance the software development lifecycle (SDLC) and software security, Wright said developers can be a critical part of the security team, when they have a better understanding of the challenges within digital forensics and incident response (DFIR).
"We want to develop secure software, pack it securely and also ensure it's well protected through compliance and audits. However, the software engineers, architects, project managers and DevOps have a completely different goal. They care more about the software doing what it's supposed to do, than about its security."
The cost of a single data breach is over $3.5 million on average and software vulnerabilities are key entry points for hackers, she noted.
"We see software being hacked all the time and this has huge repercussions for organisations. By the time they try to beef up security, it's too late; they've lost time, money and customers."
Teams of many colours
She outlined the different teams within an organisation's information security division, and the need to create collaboration between these teams that she labeled as red, blue, purple, yellow, orange and green.
The blue team consists of those focused on forensics and incident response, while the red team focuses on the nature of vulnerabilities and current threats that the attackers are creating against the software, providing insight into the mindset of a hacker. The yellow team is made up of the developers and the builders, Wright explains.
Integrating the red, blue and yellow teams in a structured way will provide knowledge-sharing, strengthen defences, coverage and response, and ultimately ensure the development of a high level of security maturity over time, she asserted.
When all these teams collaborate, you end up with purple, which is a good example of security teams working together and engaging with each other on an ongoing basis. However, she says, the problem is that they are only finding the bugs, and not having the discussion about why there are bugs in the first place, and educating the developers. "This is why there is a need for further collaboration between the teams, driving a need to introduce an orange team."
The orange team (a combination of red and yellow teams) is a way for the red team to share knowledge with the yellow team about the nature of the current threats against the software, and gain insight into the mind of a hacker, she continued.
"The orange team helps developers create code based on current threats. When there is collaboration between teams, then the developers will gain insight into security."
Furthermore, the yellow team needs to collaborate with the blue team to create the green team. She continued: "This team aims to increase the defences to address issues relating to forensics and Internet response, ensuring that software is capable of providing good DFIR information."
Organisations also benefit when employees have multiple skills sets as cross training helps during times of employee strikes or when people don't show up for work, she concluded.
Share