Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

How Exceptional CISOs Are Igniting the Security Fire in Their Development Team

For years, many CISOs have struggled to influence their development cohort on the importance of putting security first.

Secure Development

Measuring ROI is the bane of many executives, and CISOs remain under scrutiny to prove the business value of cybersecurity efforts, as well as the effectiveness of their program over time.

For years, many CISOs have struggled to influence their development cohort on the importance of putting security first, not to mention working to control an increasingly complex threat landscape and spiraling attack surface, all while navigating a security skills shortage with no end in sight.

They need a new approach, one that helps to uplift the security culture organization-wide while ensuring AppSec professionals and developers alike have what they need to drive down vulnerabilities and subsequent risk. They can inspire a security-first mindset, all while accessing state-of-the-art measurement tools to ensure upskilling and education efforts are working across the board.

The chasm between “good” and “great” developers is widening, and some verticals are ahead of the curve

As much as some of us would like to return to the simpler times of the 1990s, aspects of how we lived life back then simply don’t translate to the present day, and software development is no different. However, many organizations—especially those with complex legacy systems and code monoliths—struggle to modernize their security programs to accommodate a rapidly digitizing world that constantly demands more from software. AI coding assistants can increase the productivity of less complex coding tasks by up to 50% according to one McKinsey study, bringing about further increased code velocity that many are ill-prepared to secure efficiently.

A key element we must get right for present— and future-state code quality is ensuring developers are the beating heart of an enterprise security program. This requires precision, continuous security enablement. There is simply too much code, exposing organizations to unacceptable risk, to leave it all for AppSec specialists to wade through.

The ideal state is a veritable army of security-aware developers, and this is rapidly becoming the gauge for a strong security posture. However, with on-the-job upskilling so hit-and-miss, the gap between “good” and “great” developers is widening, and those lacking fundamental secure coding skills will find themselves left behind.

In my briefings with global CISOs across a range of verticals, most struggle to measure cohort performance in their programs, despite code-level vulnerabilities being a human problem that, ultimately, requires a human solution in the form of security proficiency among the development team. Overall, it has been my observation that enterprises in the finance vertical are more willing to try new approaches to their security programs, and develop in-house talent, and this needs to become the norm in all industries. While not every company has bits and bytes representing actual money in a bank, personal data is the new gold, and protecting it just as fiercely as real currency is paramount.

Meaningful reduction in code-level vulnerabilities is our best chance to secure the software supply chain

There is an age-old standoff between developers and their AppSec counterparts, where there is little empathy on either side for the plight of the other. Developers build, AppSec breaks. There is a serious need to align these teams to one common goal, and that is maintaining code quality and security. Until developers are enabled to assume responsibility for the security outcomes they can control, this friction is likely to remain, and it’s not too dramatic to suggest the future of digital security depends on us – as a wider industry – to get this balance right.

Supply chain attacks represent an avenue for major disruption, and, possibly, the chance of a huge payday for threat actors, so it is unsurprising that these types of breaches are becoming more frequent. As we have seen with the likes of the Colonial Pipeline attack, SolarWinds, Log4j, and the recent thwarted attempt with XZ Utils, small windows of opportunity like misconfigured APIs and successful privilege escalation can lead to years-long exploits that have the potential to affect millions of people. Quite often, these bugs are the result of poor coding patterns that many developers adopt and execute every day, and will continue to do so unless their secure coding skills are honed, assessed and verified.

Cutting-edge CISOs, however, are no longer leaving this to chance, and they are raising the bar with three key tactics:

  • Executive buy-in: CISOs have traditionally found some resistance in boardroom conversations, largely due to the notion that cybersecurity is viewed as a cost center, with return on investment difficult to prove.

    The best CISOs demand their seat at the table, articulate the necessity of a funded security program, and deliver a vision that their fellow executives can endorse.

  • Holistic, developer-driven security programs: Security programs that fail to address the people factor in driving down vulnerabilities clearly trail behind those that do, but true innovation is realized by CISOs who make developers the star of their show.

    There are vastly more developers than AppSec specialists – in most enterprises, the ratio is 100:1 or worse – and when the development team can write quality, secure code at speed, the pressure normally reserved for the scant team of security professionals can be eased. In a true DevSecOps environment of shared responsibility, this is not an unattainable cybersecurity nirvana: it’s the standard.

  • Continuous optimization through benchmarking, training, and skills verification: What cannot be measured cannot be improved, and the best CISOs adopt a deliberate strategy to measure every part of their programs and devise pathways for improvement.

    Developers especially need role-based, comprehensive upskilling pathways, and these need to replicate the work they do in their day-to-day. They should be assessed before and after training programs, and only those with verified security skills given access to more sensitive projects and repositories. Forward-thinking CISOs endorse learning activities and skills verification that are incentivized, offer some prestige, while also ensuring safer coding practices and access control.

Benchmarking security skills is key to next-level secure development

We must place collective effort into addressing and uplifting developer security skills, with precision not previously afforded to this significant piece of the cybersecurity puzzle.

CISOs must lead from the top in empowering their organizations to benchmark and optimize security performance, setting a standard for future security programs that achieve business outcomes and exceed the current status quo.

Written By

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights