In today’s information-centric world, Hackers are after data and business logic, which they can manipulate and control. You’re talking about stealing your Intellectual Property, your Customer Data (credit card, SSN, address, etc.), Business Processes and Trade Secrets.
With software, protecting one point in the system is not sufficient. The whole pathway to the data must be secure. If there is any vulnerability along that path, then the entire system is vulnerable. Hackers are ingenious in discovering new pathways. Years ago, they started at the network and hardware levels, but we have been successful in handling the problem, now they are going right to the application layer.
This can be useful in explaining things like why encryption is not going to help you with application security.
As a CISO or Security Exec, you’ve got a myriad of challenges when considering the risk of your software.
First, legacy systems these systems were built in a different era – For many legacy applications, security was sufficient for their time and place of creation. With the uptick in devices utilizing technologies like
Service Oriented Architecture (SOA) and enterprise mobility to increase access and scope, these systems are being put into scenarios they were not designed for. These systems and millions of lines of code have be scanned and scrubbed. They have to be secured.
The second part of the challenge is preventing more insecure code from being developed and introduced. This is what we mean when we say “build security in”. As a CISO (security executive), how can you ensure that new releases don’t continually introduce additional risk through software vulnerabilities? Particularly when the threat landscape changes constantly and with new threats being identified nearly every day.
Additionally…..there is increased pressure externally from changes in compliance regulations and from internal audit policies and practices. Just responding to compliance mandates can turn into a never-ending cycle and ultimately not ensure that your code is more secure.
So, who own software security?