Beyond AppSec: Securing the Product

"I'd like to change the name of my organization from Application Security to Product Security." I remember broaching this topic to my CISO at the time. While it seems like a minor change, the reality is that there are significant differences.

And there was a purpose behind it.

What's in a name

While AppSec is still alive and very well, ProdSec encompasses more than just securing the application. It's no surprise to anyone that is working in the application development space that applications are no longer monolithic, no longer deployed on-prem, no longer self-contained, and no longer developed mostly in-house. This has fundamentally changed the way we think about the application, and the product.

One great way to visualize this is thinking of a vehicle. While there are individual parts and sub-systems, the vehicle itself is the product. At least in the eyes of vehicle maker. However, some of the systems in the vehicle, like the entertainment or braking system, can be swapped out for other types depending on the model and driver tastes. These are the components (or applications) in a larger product.

While an application refers to a specific software program or tool, a product encompasses a more comprehensive software solution, often comprising of multiple applications and associated components designed to meet broader user needs or organizational requirements.

Other ways to differentiate between products and applications:

Application:

• An application typically refers to a specific software program or piece of software designed to perform a particular function or set of functions.
• Applications are often developed to address specific user needs or business requirements, such as document editing, accounting software, and communication tools.
• They may be standalone programs installed on individual devices or accessed via the web as web applications.
• Applications may serve a single purpose or provide a suite of functionalities, depending on the scope and complexity of the software.

Product:

• A product encompasses a broader scope and typically refers to a complete software solution or system offered to customers or users.
• Products are often composed of multiple applications, components, and features integrated together to deliver comprehensive functionality.
• Unlike individual applications, products are designed and marketed as cohesive entities, often with a unified user experience and overarching set of features.
• Examples of software products include operating systems like Windows or macOS, enterprise resource planning (ERP) systems, customer relationship management (CRM) platforms, financial or healthcare platforms.

Protecting applications is not the same as protecting products

Considering that application security is a subset of product security the security controls that are leveraged are different. Primarily because they cover different areas. One key distinction is that product security encompasses securing the complete solution that is provided to a user. This is not an exhaustive list, and your milage may vary, but this generally means securing the following:

• The data in every nook and cranny that your data ends up in. On the client, on the server, in the database, on the file system, over the network....you get the point.
• The interactions with 3rd party vendors, whether you're sending or receiving data from those vendors. The vendor that creates that widget that is critical to your product just got ransomwared. That's now your problem.
• The supply chain of the software that you are creating. The numbers vary, but assume that probably half of your software that you are running in your application has not been developed by your development team. They probably haven't even seen the code.
• The network (if on-prem, or hybrid) or cloud posture. This involves many different sensors, appliances, and services that are constantly scanning for risks and indicators of suspicious activity.
• The devices, such as IoT, mobile, and even the BYOD (bring your own device) tech that is allowed to be used for/by your product.
• Don't forget that the product has to actually run in a production environment. This means that solid asset management, infrastructure, policy, and incident response need to be well defined, tested, codified, and managed.
• We often forget that there are corporate systems that are used to support the product that we deploy to production. You may have your ticket management system integrated with your scanning tools. You may have your lead generation product tied to your ad campaign which drives the content that is exposed to your users in the product. But those tools are usually managed by a different team that may or may not be part of your security team.

Remember that there is little to no limit to what customers expect from your product in terms of capability and technology. Your product team should expect the security organization to meet those demands equally. That means moving beyond the scanning and testing of individual applications (as in AppSec) and instead focus that effort into building a security view of the overall product. This can culminate in something like a score or "nutrition label" for the product giving the organization a quick glance at the overall posture of the product from a security perspective.

Product security often sits between enterprise and application security

One place where ProdSec can have the biggest impact is as a liaison between Enterprise Security and Application Security. In larger organizations there is often a top-down approach to security where policy and directives are being defined at an enterprise level and then disseminated through the organization.

In this equation, ProdSec can ensure that what is being finalized at the enterprise level is brought into the individual products and solutions or applications within those products. Take, for example, a new threat intelligence service that the enterprise is brining in to enhance their detection capabilities and threat hunting. This service can be of value at the individual product and application level as the intel may impact supply chain solutions being used at the lower level.

Can the security of the product be a selling point?

Yes.

We know that fixing earlier is better so there is a cost savings associated with securing from the start. However, we know that consumers are becoming a bit more savvy (don't listen to your security people on this one) when it comes to security. Consumer awareness of cybersecurity has significantly increased, driven by the rising frequency and impact of cyberattacks. Public concern over data privacy and the potential for personal data breaches has heightened, influencing consumer behavior and expectations towards companies. Consumers are now more likely to avoid businesses that have suffered cyberattacks, emphasizing the need for strong security measures and transparent communication about data protection efforts to maintain customer trust and loyalty (Security Intelligence ).

This can be as simple as ensuring that the default settings of consumer products be set to more secure options to ensure that the consumer's security and privacy are considered from the start. It's also important to raise the trust of the consumer by putting clear language regarding how the product is handling the consumers data while using the product, and if possible, provide some details about how the product handles security.

Much like the organic food rush many years ago captured the attention of health conscience individuals, people want to know that the products they are using are, at the very least, not creating harm.

Where is the world on this

Regulations are rapidly putting pressure on organizations to secure their products as well. This goes beyond what many of us have been accustomed to which is a series of perennial audits or questionnaires that rarely go deeper than "do you have a secure SDLC", "do you have an incident response plan" and "do you have a back up strategy". I'll save you the trouble: almost any organization will answer yes to this. That doesn't mean they are secure. However, if you're in the United States (or at least paying attention to this space) you'll know that in 2021 the President Biden issued the Executive Order on Improving the Nation's Cybersecurity. This included directives on modernizing government cybersecurity, removing barriers to information sharing between the government and private sector, improving the security of software supply chains, and implementing stronger cybersecurity standards in federal agencies. The focus is on ensuring the security and integrity of both information technology and operational technology systems, with a policy emphasis on the prevention, detection, assessment, and remediation of cyber incidents.

Kind of sounds like "secure your product".

After the Colonial Pipeline and SolarWinds attacks showed how vulnerable critical infrastructure and the supply chain can be, it was no surprise that the government looked to shore up the security of the nation.

But the US isn't the only country in the world (yes, I know it's shocking).

• The European Union's NIS (Network and Information Systems) Directive, which is the first EU-wide legislation on cybersecurity, aims to achieve a high common level of security of network and information systems across the EU.
• The Australian Government has the Cyber Security Strategy, which sets out the government's plan to protect Australians from cyber threats and become a world leader in cyber security.
• Canada's National Cyber Security Strategy focuses on securing government systems, partnering to secure vital cyber systems outside the federal government, and helping Canadians to be secure online.

This is to say that cybersecurity continues to be front and center around the globe, and the focus will continue to be on building secure products.