Over a million developers have joined DZone.

Making Security a Competitive Advantage

DZone 's Guide to

Making Security a Competitive Advantage

Embedding security into the culture of your organization is the best way to produce secure software in the age of open source development.

· Security Zone ·
Free Resource

Interesting discussion with Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, and Mark Curphey, Founder and CEO, SourceClear during CA's Built to Change Summit

According to Mo, the digital economy will arrive with the next generation of security as the threat surface has significantly expanded over the last five years. Identity is the new perimeter and application security is critical.

The scale of what we're securing is larger than anything we've seen before:

  • There has been an explosion of applications and APIs.

  • There are more and more connected devices.

  • IT is being consumerized.

Trust is critical to the digital economy:

  • 70% of consumers have taken steps to reduce their online exposure.

  • 50% have dropped a service after a published breach.

We need to be doing the same thing we do for payments as we do for logging into an application, Do this by providing the developers with SDKs to build security into the application.

A cultural shift is needed whereby everyone in the company realizes security is their responsibility. DevSecOps is the salvation as it enables developers to embrace security without a lot of friction since they will have a set of tools that bake security in from the beginning and there will not be delays at the end of the SDLC.

If you improve the security of applications, you've removed a huge chunk of the threat surface. Once you've done that you can apply it to IoT. Start by writing a five-line piece of code that changes the default password.

According to  Sam King, 77% of applications have a vulnerability in them the first time they are scanned. Unfortunately, a lot of applications are in production without any scanning. More applications are introduced on a daily basis and the move to DevOps enables applications to be developed more quickly. As such, we need to look at the process and methodology around software security being built into the SDLC. 

More than eighty percent (84%) of organizations are now including security as part of their contracts with third-party providers. When companies implement application security programs, the security of their applications improved by 35%; however, only 27% are implementing application security.

Scott Bellamy, Senior Application Security Architect at Cardinal Healthcare believes they must ensure the confidentiality, integrity, and availability of data for customers that interact with them through their web applications. 

Cardinal's customers depend on them to deliver products and services when and where they need them, like per patient doses of medication. However, they must protect the information, build security into the applications, shift security left, and write secure code. There are challenges in doing so, like static application testing. It must integrate with the Agile development process and provide eLearning for developers. 

CA acquired SourceClear nine weeks ago to help developers use open source code safely. Mark Curphey pointed out that 75% of Cisco's code was not created by them and 95% of the new code companies are producing include open source software. However, reusable code results in reusable vulnerabilities.

The key takeaways from the session were:

  1. Identity is critical to the next generation of security.

  2. DevSecOps is the path to application security.

  3. Remove as much friction from security as possible for both developers and end users. 

  4. Security is getting easier and faster.

security ,secure code ,appsec ,open source security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}