Don’t paint yourself into corners; think about security early on
NC4 VP and Chief Security Officer George Johnson talks about how you can protect your brand from the bad guys.
Companies spend a lot of time vetting new employees, but they don’t spend nearly as much time vetting their software. Developers often take free software off the web, mix it in with their own code and release it. This software then becomes part of the company’s product that their brand relies on.
NC4 VP and Chief Security Officer, George Johnson, was recently interviewed in a CA-sponsored Bloomberg Media Studios podcast with Mike Walker. According to Johnson, buying an app should be more like hiring an employee. He says companies need to start thinking differently about how they source, build and integrate software – and at what stage of their app development they should start thinking about security.
“A big part of the problem is that companies and developers don’t truly understand all the third party components they put into a finished product. This can lead to problems. Think about third party libraries like employees – would you hire just anyone to do critical tasks or would you screen them, test them, interview them? Same with software,” Johnson explains.
“You should know what is in there, have some assurance that it is well written, and try to know who wrote it and how seriously they took security. The point is that security is an emergent property of the processes employed to develop the product. Security cannot and will not emerge if the components are weak and the processes do not identify them.”
Johnson says building software is a bit like building a house: “If you’re initially planning to build a 3-story house, you can’t just get to the third story and suddenly decide you want eight more stories. If your foundation isn’t deep enough, the whole thing is going to fall over. The same thing applies to software. You have to start thinking about security at the time you start architecting your software.”
“If you don’t spend enough time thinking about what the ultimate solution is going to be, you wind up painting yourself into corners you never thought about. The act of getting out of the corners is where most of the vulnerabilities come in,” Johnson says. “You end up trying to get creative and rework the system at the last possible minute. That becomes a real problem.”
So what is the solution? “We need to change the mindset of the developers so that they’ll get creative early in the process and the architectural design before they even hit the keyboard.”
In the app economy, companies are under huge pressure to release new software to respond to market demands. Some say you know you’re successful when the bad guys start attacking your software. The message is that you wouldn’t need to start thinking about security until your product is ready and bringing in revenue.
According to Johnson, this is unfortunately too late: “When you get hacked, your whole company can turn upside down. You have to blow up your architecture and rewrite all of your software. You might go out of business, or live with a lot of risk.”
Johnson’s advice is to start with the architecture work and spend enough time designing the product before building it. He points out that it’s also possible to outsource some very specific work in the security space.
“You can outsource the scanning of the code that your small team has written and yield out 60-70% of bugs and vulnerabilities before you go out to production. That actually gets you into the highest performing category of IT development.”
This is where security testing and threat mitigation techniques come in. NC4 is currently using CA Veracode’s Application Security Platform for traditional application testing, including static and dynamic scanning and manual penetration testing.
They are also using CA Veracode’s Software Composition Analysis (SCA) for reducing risk from Open Source components. While Open Source code can speed up development cycles and reduce cost, it also comes with risks. CA Veracode SCA helps companies build an inventory of their open source components to identify vulnerabilities, covering open source and commercial code.
NC4 is also tapping into CA Veracode’s eLearning solutions, which empower software developers, testers and security leads to develop secure applications from inception to deployment, providing the critical skills they need to identify and address potential vulnerabilities.
To hear more about what George Johnson has to say about protecting your brand from the bad guys in the right way, listen to the Last Adopter podcast.