One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2818136 |
| Date de publication | 2021-05-20 17:34:42 (vue: 2021-05-20 22:05:30) |
| Titre | Live From RSAC: AppSec\'s Future and the Rise of the Chief Product Security Officer |
| Texte |  Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec???s future and the need for a new Chief Product Security Officer (CPSO) role.
Wysopal started by quoting entrepreneur Marc Andreessen saying, ???Software is eating the world,??? to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators ??ヲ software is everywhere.
If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, ???There???s not just more software. There are different kinds of software.???
And this software that???s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it???s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.
And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.
And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It???s great to build applications quickly, but it changes the way you have to think about security and supply chain.
That???s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company???s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments ??? like engineering, compliance, supplier management, and information risk ??? and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.
Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger???s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches ??? like SolarWinds and Microsoft Exchange ??? are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.
For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, |
| Envoyé | Oui |
| Condensat | 2021 able about abstraction access added adding address administration also andreessen anne any anyone api apis application applications apps appsec are arguably associated attack automate back bank banking being beneficial biden big blog bloodstream brand breaches build built businesses but cars chain changes check chief chris cisa ciso cisos code company compliance componentization concerned conduct conference connect connectivity consider container continue corman could covid cpso create creating cto customer customers cyberattacks cybersecurity daily dedicated deliver departments different each eating else end engineering entrepreneur especially essential even everywhere example exchange executive express facing fact five follow forgetting founder frequently from future given going great grow has have having healthcare how implications increase increased information instead instruct iphones joshua just kinds laptops largely leads legacy library like likely live look management managing manual many marc mentioned mentions microservice microsoft migrating mobile mode more much national need networking neuberger new next not noted now now: office officer only order organizations originally others outlining over past people percent plate presented processes product products protecting public quickly quoting recently refrigerators released rely responsible retire rise risk riskier role rsa rsac rsac: safeguard saying script security serverless sessions should social software solarwinds something span spans standard started stated strategist suit summaries supplier supply surface take technology teller than these think too trends type ubiquitous use used using veracode way well why will world would write writing wysopal years your |
| Tags | Guideline |
| Stories | Uber |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.