As we say goodbye to 2020 and spend time reflecting on the industry changes, reassess our workflows and procedures in order to identify where 2021 will bring us, it’s a brilliant time to also address our security practices and ways we can bring improvement to those, as well.
After considering the top challenges I saw with development teams and security teams within development environments, I came up with a list of ways to focus our security improvements for 2021.
1. Proportionate security by design
You have likely heard the term ‘by design’ many times when it comes to either privacy or security, and whilst it’s a favorite phrase of mine to say, I often find I need to elaborate on what that actually means.
For example, I created a highly simplified list of phases above. This is in no way perfect or even proportionate, but what it does is highlight the high-level phases of a program.
From the left, we see the ‘conception’ where the idea is generated and hopefully validated along with the initial design/approach (potentially some pseudo-code and even flow diagrams). From a security and privacy perspective, it is expected this phase will also include identification of potential controls to be put in place in order to mitigate some risks, reduce others, and generate ideas on how to validate effectiveness.
Over time, I have noticed that one vital piece of building a resilient solution is often misunderstood. The methodology of threat mapping and understanding how to put that into context of your solution can often be either forgotten, ignored, or misrepresented. Without accurate knowledge on the risks your solution is going to face, it is highly likely these will be missed, ignored, and ultimately exploited.
2. Clear, reliable documentation
One challenge I have seen over and again throughout my career is that teams struggle to maintain documentation. This comes to a head when going through external audits, penetration tests, network changes, employee changes, the use of solutions by external persons using solutions, incident response, updating, the alignment of threat intelligence programs, and more.
Essentially, documentation is a key part of any environment, but it’s so easily forgotten, rushed, and/or left out of date. Additionally, I have also been surprised to realize that professional documentation does require a certain skill, and unsurprisingly, it takes time and effort that senior leadership has to support.
For organizations who find themselves in the category of absolutely no documentation, I would highly suggest implementing a program that aims to:
- Identify all key areas required in order to prioritize these.
- Identify the standard this documentation must meet.
- Implement a realistic phased-approach that the teams handling this can meet, with priority given so it isn’t left after a busy period.
- Use governance and check-ins in order to ensure deadlines are met and risks are identified where they may be delayed.
For organizations that have existing documentation in place, which may require updating and maintaining, the above steps are a great place to start to see where a formalized approach might have been missed. Moving forward into maturing this program, additional considerations are:
- Roles and responsibilities formally documented and enforced through KPIs and metrics. These can be considered within the employees review process.
- Support and buy-in shown from senior leadership. This can be done by things like not expecting employees to simply fit it in but having time within their full-time schedule to meet the demands of appropriate documentation.
- Inclusion within the formal review or project governance agenda, where employees can raise concerns or discuss points when needed.
Whilst documentation may not seem like a massive issue, as noted above, it does span a variety of programs, as well, it supports by design and by default the implementation of security and privacy controls, even considerations like making use of zero-trust solutions.
3. Security focused training and methodologies
Cyber security is made up of People, Process, Technology. Each one is key, but people are first for a reason. In order to implement realistic and appropriate solutions, you need to work with your people in your organization. Speaking and working with developers has unfortunately shown many situations where they truly want to make a more secure solution and embed security by design but are unsure where to start.
As one friend put it, “I was taught how to build efficient solutions, taught how to create – but never taught how to secure it. What to consider, where to go, or even foundations of security.”
A lot of the time, I think we expect developers to be these magical machines who are able to produce solutions based on a variety of skill sets and careers but who aren’t supporting them with appropriate resources to achieve this.
Organizations looking to embed better security practices can support this piece by asking:
- Does your environment have a secure development lifecycle, both documented and practiced? It’s great to have the policies and procedures and a requirement for any industry certification like ISO/IEC 27001, but the teams also need to know the methodologies in place and have the resources to follow them.
- When was the last formal security course taken? This isn’t security awareness, mentioned below, but formalized training on methodologies to secure coding, foundations of security, and more.
- Is there a formalized Security Awareness Program? Often, I will do a security assessment and whilst the response will be "We do provide training," there is no formalized approach, i.e., identification of metrics, behaviors needing to be addressed, documented approach to how it’s addressed, and so on.
4. Maintain your foundations:
Whilst we continuously hear about new sexy solutions, exciting zero-days, and key marketing words, the reality is that the majority of incidents are opportunistic and a failure in our foundations.
Organizations looking to bring in the new year with resilience should look to their foundations and validate if they’ve appropriately removed and/or mitigated enduring risks. Whilst a few we have already discussed above, programs to investigate are:
- Risk Management, including threat mapping
- Patch and Asset Management
- Vulnerability Management
- Threat Intelligence
- Third Party Governance
5. Continuous validation on your solution and your environment
This is embedding security by design from the conception of the idea straight up to the release and throughout the solution’s lifecycle of changes. It also includes continuously validating that your processes are proportionately applied based on the solution you build, even as your environment changes.
A great place to start for all organizations, regardless of their current state, is having a cyber security maturity assessment (CMA) done whilst building an effective budget. The reason a CMA is so effective is it starts with identifying your inherent risk. That is the risk to the organization before security controls are put in place. Additionally, the above suggestions are all considered within the overall risk and maturity of your organization. When I run through a maturity assessment, I’m looking at five areas: Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cyber Security Controls, External Dependency Management and Cyber Incident Management and Resilience. Regardless of the type of organization or the solutions that are being built, it is critical that the foundation is strong enough to build a resilient solution.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.