U.S. government agencies and industry are under attack from cybercriminals and nation-states conducting espionage, stealing data and spreading ransomware. In fact, recently, several government agencies issued an advisory warning of BlackMatter ransomware targeting U.S. food and agriculture industries. Increasingly, bad guys are targeting software supply chains — the development of software, and the software update processes — to amplify the blast radius of their attacks. We saw this with the SolarWinds hack, and more recently software testing platform Codecov and remote management software provider Kaseya. Software supply chain attacks will continue to be successful as long as the chasm between software development teams and info security teams persists. Until these two departments agree on common goals, attacks targeting software vulnerabilities will continue to cause havoc.
InfoSec and software development misalignment give attackers an edge
Info security and software development have differing and competing goals. The two teams have been at odds over it for many years, but the problem has become more acute as more companies become digital businesses and apps permeate every aspect of our lives. Developers write the software and oversee the processes they use to shepherd it through the development process. They want to develop fast—so they use open source and code copied from other projects. Info security teams are architects and run security operations. They are incentivized to make sure that vulnerabilities are found and eliminated.
Security takes time away from the development cycle and interferes with a developer’s ability to work fast. These opposing objectives have created antagonism within organizations, leaving security overlooked. Further exacerbating the problem is that neither department can agree as to who should be responsible for the security of the organization’s software build process. A recent Venafi survey of more than 1,000 security and development professionals found that 58% of security respondents said it should be their responsibility, 53% of developers claimed ownership, and only 8% said responsibility should be shared.
Companies blame successful cyberattacks on buggy software, but the real culprit is smart and motivated adversaries who understand the organizational weaknesses of their targets. Bad guys exploit this dynamic. This internal conflict within organizations around the world is a delight to the attackers who recognize the organizational weakness and are exploiting it.
Adversaries spend 100% of their time thinking about how to attack and compromise the developer’s software and processes, yet developers don’t spend much time thinking about the bad guy. Developers are not trained in thinking about attacks—their priority is meeting deadlines. However, developers should take more responsibility for securing the code and the code development process, because they alone understand it and are responsible for its integrity, which includes security.
Security, once an afterthought, now a top CEO priority
Security in general is an afterthought, especially when it comes to software development. For the most part, executives treat security as an additional task that needs to be taken care of. The problem is, the new attack is on software during its development. If software in development is successfully compromised and not detected, cybercriminals have widespread, hard-to-detect access to data and networks across organizations and their customers.
Accountability starts at the top. The CEO is responsible for aligning the development organization and the security team around shared goals. Why the CEO? The modern organization is software. Software development is happening in every business unit and in every function. Software delivers the competitive edge. Only the CEO has the correct vantage point to align the goals of security and development throughout the organization.
So, how do we fix it? Businesses need to align these two departments on a common goal of fostering fast development that incorporates security throughout the software development lifecycle. Here are some recommendations for how to do this.
CEO leads the charge
DevSecOps is just a hollow phrase if it doesn’t have clear direction from the very top. The reason the security-development alliance has failed in so many organizations is because it was treated like a “nice-to-have” instead of a “must-have.” CEOs need to send a clear message company-wide and through the chain of command that development and security are required to work together on the common goal of creating secure software fast as a part of their mission.
Accountability for “fastsecure”
The CEO should fast track and prioritize a new “fastsecure” approach that aligns development and info security on a common mission. The CEO can deputize one of the senior executives to hold the teams accountable for working together to reduce security issues while enabling fast development. It’s possible to have fast development and secure development simultaneously, and that’s what this initiative is about. The fastsecure leader will set a unified goal, foster a culture that embodies fastsecure, create a plan for success, and establishing metrics to show progress. In the past CISOs have been fired or replaced for data breaches. It’s time for C-level executives to see the same urgency for problems due to insecure software.
Eliminate confusion with shared responsibility
As the Venafi survey found, there is no agreement on who is responsible for secure software. Even 55% of executive team members disagree on which team is responsible. This leads to confusion and allows efforts to improve software security to fall through the cracks. Both teams should be equally responsible for secure software efforts and incentives for both teams should be aligned and on par. Both teams need to be equally responsible for developing fast. The mandate in my company is for infosec to always be able to identify how a change to make something more secure actually increases the speed of the organization. At the same time anything development does to accelerate software development must simultaneously increase security.
The greatest new strategies and markets result from the joining of two attributes that are seemingly at odds. An example of this can be found in the car industry. There used to be two categories: luxury and performance. Luxury cars were like boats, cornered poorly, accelerated slowly, and weren’t fun to drive, but they were comfortable. Performance cars were uncomfortable, but they cornered well, were fast, and fun to drive. One day a Japanese car manufacturer combined luxury and performance into one car that was both fun to drive and luxurious. They captured major market share, and today most cars combine comfort and performance. We have this opportunity right now to take a new approach to software development. We need to, or the attackers will keep having the advantage.