With major cyber attacks on critical infrastructure such as the SolarWinds attack, the Florida’s water treatment facility hack, and the US East Coast’s Colonial Pipeline ransomware crisis, the security of products — and not just information systems — really need to be taken more seriously, argues Chris Wysopal, founder and CTO of code scanning company Veracode.
While the CISO protects information in the enterprise, Wysopal is arguing this week at the RSA 2021 conference that products need an equivalent level of attention to enterprise information systems. His call for greater focus on product security comes as supply chain attacks are on the rise and governments across the world attempt to grapple with the problem of products that have been tampered with enter an organization.
“Products are different. Products leave the enterprise. Think of Tesla’s product security. It’s the car. You could think of a medical device company, but even in more information-oriented companies, it’s an app, it’s a standalone website and they’re starting to become outside of the enterprise. They have a life of their own,” Wysopal tells ZDNet.
Wysopal is notable figure in the cybersecurity scene, and was one of the original vulnerability researchers and one of seven member of the L0pht ‘hacker think tank’ who told the US Senate in 1998 that the group could bring down the internet in 30 minutes.
Wysopal reckons products like these need a C-level exec with a better engineering skillset than a CISO typically has — a role more focused on monitoring networks and systems to keep hackers out.
“Historically, a CISO has not been required to build in security in to a piece of software or a device,” he says.
“The traditional CISO doesn’t have that security engineering and product engineering background. They traditionally have grown up through compliance or network security, and they don’t have the understanding of software or code-level vulnerabilities. So you’ll have a lot of times where you have product security not reporting to a CISO, but reporting to the VP of engineering.”
At Veracode, the CISO reports to him as the CTO, while his head of product, which sits at a director level, also reports to him.
“Product security is a separate function, even at Veracode. And we’re a software-as-a-service company. We don’t ship any products or anything IoT, which I think really requires an elevated product security person.”
“It’s more important than the security of the rest of the business,” he argues, adding that at some point, apps become the product rather than just an extension of backend systems. This is relevant to the banking, insurance, retail, government and other sectors that now create apps that differentiate the business amongst competitors.
“The risk of that software starts to become more important,” he says. And attackers are getting ever smarter, as shown by the SolarWinds attack.
“When someone is planting a sophisticated backdoor, you’re not going to be able to detect it just by looking at the code,” he says.
“That’s why the integrity and security of the software development pipeline has become so important. Because that’s how you protect against someone inserting a backdoor like in SolarWinds. So instead of hoping to look at that binary artifact at the end and hoping to detect it — that’s not a good solution to this type of attack.”
The solution is, he says, to have good security on all the different parts of the pipeline. This includes making sure that developers who have permission to modify code use two factor authentication when accessing a code repository to update code. They should also be cryptographically signing all the different artifacts that become part of the final build of a software product.
Wysopal is optimistic that US president Joe Biden’s cybersecurity-focused executive order will have a positive impact on how cybersecurity is handled in the private sector in the US.
“We see that the requirements for doing business with the federal government will be adopted in the private sector. Enterprises in lots of different sectors will push this on to their vendors. Cyber insurance companies will look at this and say, ‘Hey, this is lowering the risk of the federal government and if you do these same practices, your insurance premiums will be less.’
“The federal government is setting a good example. Parallel to that, we see that Congress, which can pass laws that affect everyone doing business in the US. Congress will also learn from this and will codify some of this into law.”
In other words, Biden’s executive order, while only applying to federal agencies, could have major implications for classical critical infrastructure as well as banking, healthcare and other sectors the US considers vitally important.
“That could be dictated by law. It might not just be the market making it happen,” he says.