Security continues to be an evolving challenge for organizations around the world, and new threats and vulnerabilities are putting increased pressure on vendors to improve their cybersecurity profiles. Customers, governments, and organizations are more likely to inquire about the security of a company’s products and processes than ever before.
And while no single tactic, practice, process, or technology can guarantee security, it’s important to begin implementing or upgrading basic practices to improve security infrastructure. But this can be a daunting task, especially when it comes to product assurance.
To help, here is some practical advice for companies looking to create or improve their cybersecurity profile.
Improving Your Cybersecurity Profile
Over the last several years, security has played an increasingly crucial role in the product development lifecycle (PDL). As a result, developers, engineers, and product teams are now focusing intently on creating secure products.
When it comes to product assurance, there are three major areas—integration, automation, and community engagement—to focus on when working to improve a company’s cybersecurity profile.
Integrate Secure and Product Development Lifecycles
Integration is key during product development. But today, many organizations do not integrate the product development lifecycle with the secure development lifecycle (SDL).
There is a movement to shift security earlier in the lifecycle from operations toward development to help discover and prevent vulnerabilities. This can include a lifecycle prior to the one a company is adding value to.
In cases where third-party hardware or software is not scrutinized, vulnerabilities can be harder to discover but also more broadly distributed, which can make them harder to remediate. For example, the Equifax breach in 2017 was reported to be the result of a vulnerability in open-source software. And more recently, the world reacted to another open-source vulnerability in Log4j.
Designing products with security in mind from the very beginning and demanding transparency in security practices from vendors is a good place to start when improving security.
Include Robust Threat Modeling
Include robust threat modeling at the beginning of the development process. As a part of that process, understand what is most valuable to the customer and how that could come under threat.
Create use cases but also train developers to think like a hacker to assess dangers in unintended usages. In addition, set up checkpoints that a product must pass through to progress to ship ready.
This will not work without buy-in from executives across the company, so it’s usually a good idea to recognize that there will be requests for waivers and to assign an escalation path up front that includes product and security executive sign-off.
Ultimately, PDL and SDL should merge into a single process, including elements from security, privacy, functionality, and quality.
Train Staff on Product Security Basics
Train all developers and engineers in the basics of product security, and make sure they understand that security is part of their job. Also, let them know that there are experts available to help them.
If a company can’t dedicate a security professional to each product team, it should consider training and designating “security champions” that can help product teams stay on top of security best practices and tools. These champions can also help maintain consistency of expectations across a company’s portfolio. While today this role is often a side job, expect it to become more common as a full-time position in the future.
Automate Threat and Vulnerability Detection
Automation offers tremendous value when properly applied to security assurance. It allows product teams to check for known vulnerabilities while lightening the load on engineers.
Scanning code manually can be laborious. Automation streamlines and accelerates the process of finding threats and vulnerabilities. Consider the following:
- Start by examining your own code for errors. Many off-the-shelf static analysis tools can scan code for patterns that represent likely vulnerabilities that developers may miss, such as buffer overflows, integer overflows, or arithmetic errors.
- Next, check third-party components for known vulnerabilities using composition analysis tools.
- Then, invest in cybersecurity tools that check against publicly disclosed vulnerabilities such as scanners and fuzzers. While it may be tempting to start with advanced tools, it’s usually best to start simple and build up to the more advanced features when needed. There are several off-the-shelf and open-source scanners and fuzzers available.
Participate in Community Engagement
The final area of advice is around community engagement. No organization should act in a silo. The security community includes standards bodies such as the National Institute of Standards and Technology (NIST), the Trusted Computing Group (TCG), and the International Standardization Organization (ISO).
The research and academic communities are also key partners in the fight against cyber threats. Even the U.S. Department of Defense invests in “Hack a Satellite,” where they let security researchers hack live satellites.
Community engagement is about building relationships. When it comes to coordinated vulnerability disclosures, create a framework that supports ensuring the timely publication for academics, and consider compensating vulnerability findings that are accurate. The compensation can be monetary or nominal (e.g., t-shirts).
Other areas of community engagement you should consider include:
Creating a Product Security Incident Response Team
Establish processes for receiving and managing vulnerability reports. Product security incident response teams (PSIRT) can manage the entire process from discovery through triage, mitigation, and disclosure.
A PSIRT will be made up of people who are adept at understanding complex technical approaches from engineers or developers as well as communicating with customers and other members of the ecosystem.
Ideally, a single PSIRT member will monitor an issue from the first report through disclosure. For ideas on how to get started, check out the PSIRT Services Framework.
Encourage Ethical Hackers to Help Find Vulnerabilities
Organizations that have a mature vulnerability disclosure program should encourage ethical hackers to help find vulnerabilities. This can begin with a generic email address for submissions. To make this process more accessible, create a Web address with specific instructions and supporting information about how to report these vulnerabilities.
State-of-the-art approaches include creative events like hackathons or capture the flag contests where individuals or teams seek vulnerabilities on a timeline.
Organizations around the world are working to improve their cybersecurity profiles to deliver better products and meet obligations around social responsibility. Companies like Microsoft, Salesforce, and Google are setting great examples. This practical advice is just the tip of the iceberg when it comes to steps organizations can take to improve security assurance across product teams – but they are a great place to start.