Keeping up with today’s rapidly evolving threat landscape is an ongoing journey for software development enterprises in cloud-native environments, as many struggle to keep their assets and customers secure while keeping up with the competitive pace of software delivery in cloud-native environments.
The need for addressing these challenges arises as organizations’ software development ecosystems become more layered and complex. Reliance on third-party and open source components continues to rise, requiring organizations to cover supply chain security as well as the wide range of platforms and components that aren’t developed in-house.
Organizations will need to continuously improve their application security strategies to address new threats. Shifting security left into the development phases, and promoting shared ownership over security shared across teams will become a crucial part of achieving secure software delivery.
The roundtable included a panel of experts included Rhys Arkins, Director of Product Management at Mend, who hosted the panel; Michiel Prins, Co-Founder and Product Lead at HackerOne; Scott Ward, Principal Solutions Architect at AWS; and Dragan Pleskonjic, Senior Director Application Security at IGT.
The experts addressed a number of issues facing organizations, including:
Dragan Pleskonjic of IGT pointed out that 10 years ago or more, security was focused on the perimeter around data networks, while today the focus shifts to the software-defined perimeter, and defense in-depth. Scott Ward of AWS explains: “there’s a lot more focus around how do you secure that actual application itself, with the network almost being decoupled or a separate layer that another team can actually take care of.”
AWS’ Scott Ward shared his observations about when security should be integrated into the development process and helping customers bake security into their DevOps pipeline. Ward explained that this requires security teams to be more involved in the development process while making sure that the development team can still move fast.
Mend’s Rhys Arkins started out by noting that this is a relatively new challenge and explained that the term “software supply chain” refers to any component in a company’s software process that could be used to compromise what they ultimately produce.
HackerOne’s Michiel Prins added his professional observation that hackers are very focused on the supply chain. He explained: “whatever suppliers you use to run your business, including your whole software stack, is something that the hacker community takes a big interest in.” Prins shared with the panel that many of their customers are showing an interest in securing their supply chain, adding some of their mission-critical suppliers to the scope of their bug bounty programs.
When it comes to vulnerability disclosure, Arkins pointed out another shift the industry is undergoing, where secrecy around security vulnerabilities is replaced by transparency and collaboration. HackerOne’s Prins stated: “the only way to solve security is to collaborate with others, and be transparent as well. That’s when you can begin to start demonstrating that you’re worthy of the consumers’ trust.” He went on to present the example of the US Department of Defence, which is currently running one of the largest Vulnerability Disclosure Programs (VDPs).
To summarize, AWS’ Scott Ward reminded participants that security is continuous, explaining that when teams find the right strategy and processes, they need to ensure they don’t change. In addition, they must “continue to reevaluate, because if you’re moving in any sort of pace, your software, your applications are going to be changing over time, and it’s important to make sure that your security is keeping up with that at all times.”