How Software is created and the need for convergence in security

On Wednesday April 24th the Center for Strategic & International Studies hosted (CSIS) hosted a discussion on the state of cybersecurity and how software is created these days. I had the privilege of watching a distinct panel of experts talk about a wide range of cybersecurity challenges, opportunities and pressing needs for the future. There were professionals from not for profit, law firms, government agency and defense on the panel. The focus was on how to ensure that the software that is being created these days is able to do what we need it to do, and also that we understand how software is made. Here are some key highlights. 

William Stephens (Director, Counterintelligence, Defense Security Service, Department of Defense) kicked things off with a presentation about what he is seeing at the Defense Department, what threats are looming and what government policies need to change. He spoke about the need to have governments support smaller companies to give them the opportunity to create better technologies. One major point he made was that organizations are still viewing corporate (physical) security and cybersecurity as two different things. He noted that this was a major threat to organizations. According to data they had collected, 54% of hackers used both forms to try and find vulnerabilities to exploit organizations. This is why SOC teams need to converge both into one and keep an eye on them as a whole. My company has been trying to stitch the two groups together for many years now, recognizing a critical risk and our clients are enjoying the recommendations we put forward.  

Roberta Stempfley (Director, CERT Division, Carnegie Mellon University Software Engineering Institute) spoke about how software design, development and deployment has changed over the years. She made me realize the sheer amounts of software co-existing and communicating with one another to move this planet. Not even a decade ago, we had hardware dictating what software would do. Now not only has that reversed but we have different pieces of software directing what other software's do. This in itself wouldn't be a problem if it weren't for how software packages are being reused over and over again.

 Derek Weeks (Vice President, Sonatype Inc.) had clearly spent a ton of time examining the software industry and brought with him an incredibly analytical examination of the problem at hand. Derek clearly stated that the way software is created nowadays has some major challenges. Open source packages are being used by companies and being labelled as being originally created by the companies. Some of these packages have known security vulnerabilities yet organizations will still use it. And more often than not the language used in software companies contracts will shield them from legal prosecution. As Derek said, there is no industry in the world where you can willfully sell defective products and assume no responsibility.  

At the end of the day, organizations really need to safeguard their physical and cyber world with the utmost care. As William noted, the threat is very real and it can come from any place. And this view is echoed by numerous CISO's that I have spoken to or really any member from the SOC team. Prior to joining D3 Security I was working for a different software company working with Finance and Accounting team members. Even though most of my conversations were revolved around Forecasts, Budgeting, Tax Reconciliation and more, when speaking to CFO's one of the major side topics we would discuss was data security and breaches.