Critical vulnerabilities expected to ripple through the IoT landscape

– Eli Kirtman

CISOs will tell you that weaving security controls into product development is a daunting challenge and failing to do so has detrimental consequences.

The world’s first CISO, Steve Katz, says the security industry that exists today wasn’t even in anyone’s wildest dream. Technology, software development, and abundant risks in cybersecurity have become more sophisticated since Katz dawned the first CISO hat in 1994.
 

Two decades ago, a group of jaded software developers met at a ski resort in the Wasatch mountains of Utah. They were determined to dissolve the archaic, rigid, and micromanaged waterfall methodology that was the golden standard for software development at the time. The linear method didn’t provide the speed and flexibility that developers needed to keep pace with the explosion of the internet.

They had crafted the Agile Manifesto by the time they left the snowy summit. The document embodies 12 principles that define the agile methodology, which encourages organizations to adopt a culture of collaboration between customers, developers, and product management to deliver better software solutions.

Nearly a decade later, organizations realized that many agile principles did not extend beyond the design stage to provide continuous delivery to customers.
 

This triggered the DevOps (development and operations) movement. Gartner defines DevOps as “a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and seeks to improve collaboration between operations and development teams.”

The movement no doubt was an imperative shift to leverage third-party tools, open-source libraries, cloud services, and other technologies to meet the demands of customers. Yet these resources make it difficult for security teams to keep up with the rapid-release cycles of product development, according to Jacky Lee, director of product development at Onward Security.
 

This is a major concern for CISOs given that many application flaws can linger undetected for years. This is evident in the 19 zero-day vulnerabilities currently impacting a TCP/IP library that was developed in the 1990s. Dubbed Ripple20 by cybersecurity experts, four of the vulnerabilities were rated critical on the CVSSv3 vulnerability severity scale and are expected to ripple through the IoT landscape indefinitely.

Lee stresses that tracking the latest network risks from external sources and continuously implementing security assessment mechanisms can boost control of cybersecurity in every product.

Perhaps CISOs and CSOs understand this better than anyone because they are taking the heat for data breaches.
Katz encourages fellow CISOs to be confident enough to stand up and say, “Look, I can help reduce risk. I can minimize risk. I cannot make it go away.”

If Katz were driving the bus today, he would bring on data scientists to figure out how to effectively handle data and information security because they are business risk issues — not technology issues, he tells Cybercrime Magazine. “We have to do better at bringing artificial intelligence and machine learning into information security.”
 

This dilemma has spawned yet another culture shift in the software industry. The boardroom and executives are beginning to heed the concerns of security leaders. They recognize that security can’t be stitched into products after issues arise. It is bad for both the company and its customers.

Consequently, many organizations are bridging the gap between development, security, and operations teams — DevSecOps — and weaving security into the software development lifecycle from the very beginning.

Not only are development and security operations upping the ante on cross-department collaboration and securing continuous delivery of software in rapid-release cycles, but it is privy to previously unimaginable technologies that offer phenomenal capabilities.

Leveraging a full suite of automated vulnerability management, security assessment, and incident response tools is one of the most efficient ways to identify and remove risks during product development, and continuously monitor and address threats after products are released, according to Lee.

He adds that injecting artificial intelligence and machine learning into DevSecOps processes can significantly improve the accuracy of vulnerability detection and accelerate response time.

Got auditors on your tail? “No worries,” says Morgan Hung, CEO and general manager at Onward Security. Its suite of automated tools — collectively known as HERCULES — helps manufacturers and other businesses meet strict international cybersecurity regulations such as the NIST and IEC 62443 frameworks.

“CISOs can use security automation tools to consistently gather metrics and provide requisite documentation to avoid compliance nightmares,” he adds.
 

The CISO’s long-awaited DevSecOps bare an old foe that has challenged organizations since the inception of software development.

Putting aside the sophisticated technology that enables us to automate and continuously deliver safe products, people will always drive the organization’s success. Yet communication between security, development, and operations teams has been a persistent struggle.

CISOs and respective team leaders will have to lean on each other and nurture relationships to collectively make this new culture work.

A key principle of the Agile Manifesto states: At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Perhaps adopting a nimble approach to DevSecOps will help us get there faster.

Onward Archives
– Eli Kirtman is a freelance writer based in Cincinnati, Ohio.