A wave of legislation in the U.S. and Europe will soon require organizations to more deeply embrace best DevOps practices to address increased potential liability that might stem from a breach of an application.
A proposed Cyber Resilience Act being negotiated be the member states of the European Union seeks to require organizations that sell hardware platforms that connect to the Internet to ensue both their devices their software runs on comply with best cybersecurity practices.’
In the U.S., meanwhile, a National Cybersecurity Strategy proposal put forward by the Biden administration seeks to hold organizations that collect data or build software more accountable for breaches.
While both proposals are a long way from becoming the law of the land anytime soon, they are indicative of a changing attitude. Governments around the world are concluding the only way to ensure better cybersecurity is to require it. Previous suggestions made by government agencies are going to soon give way to actual mandates. As such, savvy IT leaders would be well-advised to get ahead of this sea change by implementing the tools and processes that inevitably will be required. The challenge, of course, is that there still isn’t enough cybersecurity expertise available to implement cybersecurity best practices, so a different two-fold strategy now must be employed.
Naturally, the best type of vulnerability in an application is the one that never occurred. The simple truth is that most of the vulnerabilities that find their way into production applications are well known. Developers, however, have limited cybersecurity expertise so they not surprisingly keep making the same mistakes multiple times over. Many organizations are now embracing best DevSecOps practices that shift more responsibility for application security further left toward developers. The challenge is finding the right set of cybersecurity tools that surfaces vulnerabilities as code is being written. Fortunately, a wave of generative artificial intelligence (AI) tools is starting to provide suggestions on how to improve code as it is written, including ways to remediate vulnerabilities. GitLab, for example, has pledged to add a capability to automatically resolve vulnerabilities to its continuous integration/continuous delivery (CI/CD) platform.
The second initiative that organizations are embracing is to shift more responsibility for security operations right toward IT teams. Responsibility for everything from deploying firewalls to managing endpoint security software is now being addressed within the context of a larger IT services management (ITSM) strategy. As is in the case of shifting more responsibility for cybersecurity further left toward developers, IT operations teams will also be taking advantage of AI to better understand the attack paths that cybercriminals might employ to compromise an IT environment.
None of this, of course, eliminates the need for cybersecurity expertise within an organization but it does help to maximize a limited resource. Cybersecurity teams can focus more of their efforts on making sure policies are current and determining how best to thwart the tactics and techniques that cybercriminals are employing as threats continue to evolve.
Many organizations are already moving down these paths to improve their overall cybersecurity resiliency. Arguably, many of them are making more progress shifting responsibility for security operations further right than they are shifting more responsibility for application security further left given the historic divide between developers and cybersecurity professionals. A recent survey of 397 IT, cybersecurity and application development professionals conducted by Enterprise Strategy Group (ESG) on behalf of Data Theorem, a provider of a platform for securing application programming interfaces (APIs), finds 41% report security teams lack visibility and control of development processes. Other issues include new builds deployed to production with misconfigurations, vulnerabilities and other security issues (40%), developers skipping security processes (39%), software released without going through security checks and/or testing (38%), lack of security process consistency across different development teams (38%), security team can’t keep pace with release cadences (34%) and developers’ reluctance to work with security (29%).
There’s no doubt that when it comes to application security a lot of progress has been made, but no one can deny there is still a very long way to go before anyone can claim the job is anywhere near done.
