News

LEADING BRAND IN SECURITY ASSESSMENT - ONWARD

Onward Security promotes DevSecOps to address challenges in cybersecurity regulatory compliance

2020 / 03 / 17

In the IoT era, device manufacturers or brands are strongly promoting network-enabled products while trying their best to shorten time-to-market. In their effort to speed up product development, they may overlook some blind spots in data protection and put devices with security vulnerabilities on the market. More often than not, such security vulnerabilities are discovered by foreign government agencies or hackers, which may not only cause harm to consumer privacy but also lead to litigations that damage to business reputation and brand image.

Device vendors face increasingly strict government regulations, cybersecuirty standards and procurement requirements. Aside from functional tests, they need to incorporate Secure Software Development Life Cycle (SSDLC) to ensure compliance with cybersecurity requirements. However, most device vendors lack the capacity to engage cybersecurity operation, inspection and testing practices needed for them to overcome challenges after challenges and achieve regulatory compliance. In view of this, Onward Security, having accumulated years of experience in addressing cybersecurity issues with network-enabled products, introduced HERCULES SecFlow and SecDevice, which are automated product security assessment platforms aimed to help firms implement DevSecOps procedures and effectively meet international standards and customer requirements on cybersecurity.

Product security assessment combined with DevSecOps development agility helps achieve cybersecurity regulatory compliance

According to Jacky Lee, product development director and chief development officer, Onward Security, governments around the world are renewing their policies and regulations on cybersecurity in recent years. For example, the U.S. Food and Drug Administration and the European Union have all instituted data security rules for medical devices. California introduced America's first Internet of Things (IoT) cybersecurity law (SB-327). The U.S. Department of Defense developed Cybersecurity Maturity Model Certification (CMMC). Moreover, many international network-enabled device brands have raised product security requirements to their suppliers. With these regulations and requirements in place, device manufacturers face increasing pressure in keeping up with regulatory changes and bringing compliant products on the market.

To address compliance with the slew of regulations and standards taking effect one after another, device vendors are looking to incorporate DevSecOps in their development process for the purpose of accelerating time-to-market while enabling high-quality data protection. However, this requires specialists in product security assessment, secure software development and vulnerability detection and all of them in the three fields of expertise are indispensable. Most device vendors will have to overcome a high barrier and allocate tremendous resources to be able to build a professional team comprising all the needed specialists. Moreover, the process will take one to two years and thus it is a formidable challenge.

Onward Security 's HERCULES automated product security assessment platform is designed to lower the threshold for customers and accelerate the time it takes to incorporate DevSecOps. HERCULES SecFlow is a product security management system aimed to address customers' needs with respect to security regulations. It enables information sharing and coordinates collaborations among the development team, data security team and operation team. It helps customers build DevSecOps practices into the development process while ensuring each development step complies with data security rules. For example, by implementing product security assessment mechanisms and keeping track of the latest network security risk information from external sources, SecFlow guarantees full control over the cybersecurity of every product. Aside from helping customers quickly establish a cybersecurity system, SecFlow also provides risk assessment for open source libraries, product vulnerability management and security incident response and handling to help product development teams, data security teams and operation teams quickly come up with countermeasures.

SecDevice is an automated vulnerability assessment tool designed to address the timeliness issue of DevSecOps in product development and inspection. It performs quick and precise vulnerability scanning and testing on the development team's finished product by simulating cyber attacks, thereby allowing a thorough check on cybersecurity during product development before going to market.

Integrating multiple patented innovations, SecDevice features unique and powerful fuzz testing

According to Lee, there are other vulnerability detection and scanning tools on the market but they are common information systems designed for use by IT administrators to solve technical issues and fill some inspection and testing gaps. HERCULES SecFlow and SecDevice, on the other hand, are designed with a focus on security regulations and an emphasis on item-by-item compliance, aiming to address regulatory compliance in cybersecurity of IoT devices and accelerating time-to-market.

"More importantly, HERCULES is a product security regulatory compliance solution that is 100% developed by Onward security team. Not only does it demonstrate strong professionalism but it also features unique AI technology," noted Lee. For example, two approaches are adopted to conduct vulnerability detection. Vulnerability scanning discovers known issues by doing a comparison with information in the Common Vulnerabilities and Exposures (CVE) database. Fuzz testing aims to find unknown weakness so it is more valuable and imposes a higher technological barrier.

Integrating multiple patented innovations, SecDevice features fuzz testing to discover unknown security vulnerabilities in IoT devices. First of all, a patented algorithm that generates non-repeated and targeted attack test cases can conduct effective vulnerability checks on the device under test. It can validate system stability and error handling ability in the most concise manner and the least amount of time. Furthermore, SecDevice also analyzes the condition of the device under test similar to a doctor checking a patient's respiratory rate. It learns and analyzes how the device responds to situations so that it can detect the device's vulnerabilities with a higher precision and thereby minimize errors that require handling by human testers.

Incorporating AI machine learning, SecDevice can cope with increasingly diverse applications and different types of IoT devices being used in wide-ranging scenarios. It can quickly and easily conduct vulnerability detection for 5G or independently developed network protocols. The three unique strengths enable SecDevice to help customers complete product security check more rapidly, precisely and thoroughly, in line with the DevSecOps agility objective.

The user base of SecDevice includes connected device developers and brand vendors. It takes connected device developers originally only having the capability to conduct functional tests less than two months to incorporate SecDevice and build up product security inspection and testing capability. Brand vendors that need to perform tests and acceptance checks on a slew of products and provide feedback to respective software development teams also spend a similar amount of time incorporating SecDevice and building up such capability despite their heavier testing workload.

In general, to build up an in-house product security inspection and testing team, vendors will need to hire at least five full-time employees and purchase more than five enterprise-level testing tools. The process can take one to two years. SecDevice's most valuable advantage is that it significantly lowers the threshold so that firms can quickly establish the capability to ensure product security.

Risk assessment on open source libraries preempts security threats and quickly eliminates security risks

SecFlow provides a myriad of refined features aimed to help customers minimize security risks early in the product development phase, saving them from costs that they may have to bear if problems are discovered after their products go to market. For example, the development team preloads all product information in the module that performs risk assessment on open source libraries and continues to optimize the correlation. Then, when the operation team receives a report of a product security issue, the data security team can help the development team look into the issue and assess the scope of impact within a day and the two teams work together to resolve the issue in two weeks. The general practice is that the operation team or data security team assigns other teams to investigate a security incident after they learn of it, which could take three months at least. They may end up being unable to solve anything due to unclear roles and responsibilities. Now with SecFlow, the development team, data security team and operation team can work in synchronization to tackle all sorts of product security challenges today.

Commenting on product sales, Lee indicated that a number of Asia-based device brands and manufacturers have successfully incorporated SecFlow and SecDevice, with international vendors in China, Japan and India to follow suit. Based on experience gained from each use case, Lee suggests that Asia-based firms phase in DevSecOps if they are concerned that a complete switch-over to DevSecOps will disrupt their product launch plans. They can start by leveraging SecDevice for product testing to ensure high-quality data security and then proceed to using SecFlow to build up product security management flows and mechanisms. Finally, they can obtain product security certifications with help from Onward Security's cybersecurity regulatory compliance service. Such an optimized flow will help improve corporate data security from the inside out.

It should be noted that HERCULES SecFlow and SecDevice have been recognized with multiple international awards for their unique design concept. For two years in a row, SecFlow and SecDevice won InfoSecurity Product Guide's gold awards for Security Information and Event Management (SIEM) and Internet of Things Security as well as CyberSecurity Excellence Awards' gold awards for Vulnerability Management and Incident Response, Embedded Security and ICS / SCADA Security.

On top of those, in 2020, InfoSec Awards named SecFlow Best Product in the Incident Response and Vulnerability Management categories and SecDevice Next Gen Product in the Internet of Things (IoT) Security and ICS/SCADA Security categories. They are being honored mainly for their ability to precisely and effectively help customers build up a secure software development process and carry out product security inspection and testing work.

Jacky Lee, product development director and chief development officer, Onward Security

According to Jacky Lee, product development director and chief development officer, Onward Security, through patented smart fuzz testing, Onward Security can effectively fill gaps in cybersecurity inspection and testing and reduce security risks of IoT devices when customized protocols are adopted.

On the news