Fostering the Culture of 'Security as a Valued Skill' to the Organization
By Dr. Andreas Kuehlmann, SVP and General Manager, Synopsys Software Integrity Group
•What do you think are the biggest obstacles that technologists face in working in a more agile and outcomes based model?
As organizations transition to a more agile and continuous development model, software security needs to be considered throughout the development cycle by implementing software signoff as a critical part of every stage. Software security is a journey, and it needs to be embedded into the culture of the development organization, from the personnel to the processes and tools used. Adding software signoff, the strategic introduction of testing gates at critical progression points throughout the software development lifecycle and software supply chain, elevates the quality and security of the software.
A key component to this is using tools in the inner loop of development. It’s imperative that organizations embrace concepts such as not checking in new code before it is tested for security, not accepting a feature in an agile flow unless it passes security tests, and failing abuild if it doesn’t meet security requirements. Some people think that security by definition is the opposite of agile, but this is a common misconception. In fact, building security into the software development process improves developer productivity. A security bug identified post development must be viewed as a functional defect in the code. Defects have a remediation cost of developer time.
"Software security is a journey, and it needs to be embedded into the culture of the development organization, from the personnel to the processes and tools used"
Developers who have undergone security training will eliminate the bug at the source, reducing the time needed to find and remediate the bug. Identifying security bugs in the development environment and providing remediation guidance takes a fraction of the time spent in comparison to having a security team test code and go back to the developer for remediation. Developers should understand that security is now part of their job. This is accomplished through developer enablement: building security into their incentives, providing them proper training, and showing them that security is a valued skill to the organization.
• What set of skills do you think is required for the technology leaders to be successful in the new enterprise landscape?
It is essential for today’s technology leaders to embrace security as an inseparable component of software development and delivery. Leaders need to shift their mindsets and enable their technology teams to address security proactively by building measures and best practices into their workflows. This fundamentally requires a combination of skills, technology, and tools.
There should be a well-defined software security group with equally well-defined policies and tools to measure efficacy. Technology leaders need to make sure they invest in the proper tools and talent to build and promote a software security group. Leaders should cultivate a working relationship between developers and IT Security so the teams have common goals, standards, and prioritiesaround software security.
• Which growing or future technology innovation are you personally excited about?
I’m personally very excited about the Internet of Things (IoT). IoT spans from the end device through the communication network to the cloud. For devices to function with any degree of intelligence, software must be present. If software is not designed and constructed securely, it will contain vulnerabilities that can be exploited. This means that anything connected to the internet—from a streetlight to a complex medical device—can be discovered and potentially infiltrated, and the associated software will be the target. Therefore, it is important to consider any internet-connected device in your threat model.
IoT is a new challenge that shows tremendous promise, but also comes with a lot of security risks that, if left unaddressed, can cause more harm than good. IoT is interesting because it marries embedded software security with enterprise security. Software defects in embedded devices can have a large impact on the reliability of systems upon which people's lives depend. Because the systems are only as secure as each component, testing embedded software is a crucial component of development.
Look at the Mirai botnet, for example, and its use of interconnected devices, namely surveillance cameras. This resulted in a recall of more than 10,000 surveillance cameras—the first recall was a result of an IoT-based botnet. While the botnet did not use software vulnerabilities, the next IoT-based botnet might. This is exactly why it’s important to consider security at the foundational level.
Everywhere you look IoT is emerging, from connected devices in houses to vehicles and children’s toys. Security must be built into these IoT devices and systems just like any other application. In the end, we should accept the importance of building security in. We shouldn’t be pressured to connect things quickly and cheaply before doing what is necessary to ensure security.