The only automated NLP-based API security platform that protects enterprise applications at scaleLearn More »
At Allegiant Airlines, Chief Information Security Officer Rob Hornbuckle is leading an interesting initiative to improve awareness, visibility, and collaboration across teams and the development lifecycle.
To develop and maintain their customer-facing applications, they have 10 persistent development teams at any given time. However, orchestrating security among disparate teams is no walk in the park. It requires substantial visibility and a culture shift that encourages initiative and responsibility-taking.
To keep security at the forefront, they established a security champion program that puts two people on every team with the responsibility for ensuring certain security standards during development. These champions help the rest of the team drive knowledge and communication throughout the entire system.
This program empowers visibility into application security at the organizational level via monthly meetings that focus on everything that's happening with security within the different application programming groups. These meetings enable the organization to provide metrics regarding the overall security health achieved by different teams over time to help gain buy-in from senior executives and board members.
With many enterprises using dozens, if not hundreds or more, different security tools addressing different systems, CISOs are challenged to understand what is of critical importance, so they can effectively prioritize vulnerabilities to mitigate risk.
But just because a server is unpatched doesn’t necessarily mean that it poses a true business risk. What’s required is not only visibility into vulnerabilities, but rather into the exposure it creates and the potential business impact in case of a breach.
To truly be able to associate the business risk with a vulnerability, Rob Hornbuckle believes that executive management needs both a solid understanding of application programming, as well as formidable knowledge of the inner workings of an organization’s business model. This enables them to prioritize mitigation in accordance with the true business impact of a potential breach on their unique business model.
Even if a specific vulnerability was able to disrupt operations at Colonial Pipeline, for example, it doesn’t mean that that same vulnerability holds any risk to another organization's bottom line, especially if their business model is different. The most important assets to protect are those services and applications that expose critical business functions.
Rallying the organization around security is no easy task, especially when their input - as valuable and important as may be - often creates delays and adds work to harried development teams. Ensuring that all levels of the organization understand the importance of the security team is a critical step in implementing secure development processes.
At BNP Paribas, the Global Head of Technology Risk Intelligence Sandip Wadje points out that making it easy for the organization to understand just how big their internal and external attack surfaces are and exactly which critical business functions are exposed, is paramount.
The first step is discovery - knowing what you have, how it’s used, why it exists. While this step is pretty straightforward, in the second step, governance, enterprises should seek to understand which steps they’re taking in terms of application development, maintenance and ongoing monitoring. Organizations must ensure that they have either a centralized governance committee or a 3rd party technology risk team to oversee internal organization security measures.
The third stage is that of assurance regarding ongoing security measures. Ongoing security monitoring that continuously analyzes new vulnerabilities as they’re discovered significantly reduces risks, as exploited vulnerabilities are often those that weren't known to the organization.
Finally, resilience is another key capability to develop. Putting in place concrete procedures for incident response and reducing exposure is essential in the case that vulnerabilities have been exploited. As many organizations are already using different security solutions, ensuring effective use of these solutions in protecting critical business applications is key.
Take this example: at BNP Paribas, the security team created a blueprint of different applications to understand how each one was impacted by the transition to the cloud. This blueprint is used by executive management to empower a view of the different workloads that could be safely migrated to the cloud.
They then created governance around it, both at the corporate group level which focused on strategy and at the operational level which focused on ongoing monitoring assurance. Their next step was to create an API steering committee to prioritize services in terms of their ability to monetize data. Finally, they set up a 3rd party risk management program and included important internal stakeholders to develop their application security strategy.
Much like individuals, teams also have a reputation. For security teams, it is highly important to ensure that over time they aren't viewed as a nuisance getting in the way of speedy deliveries, but rather as a business enabler. This is where regulations can actually go a long way in ensuring that this isn’t the case.
By conditioning the launch of new initiatives on adherence to security, safety, and compliance measures, security teams become a necessity. Once security teams clearly draw lines between regulations, the vulnerabilities they discover, and the business impact, development teams will stop seeing them as a nuisance.
This elevates security to a strategic business enabler and even a competitive differentiator.
At Mastercard, for example, under the leadership of a CEO that has been focused on security from the get-go, their corporate security team is at the heart of their business model and provides security services to all of their customers and to the ecosystem at large.
In the API-era, organizations must rethink their security posture. Trends like the crisis of confidence, supply chain interconnectedness, regulations and the increasing number of malicious actors dictate the shift to an inside-out approach in terms of cyber security.
With more and more enterprises allowing users to access data and functionality through APIs, the security perspective must change from restricting access to better controls and permissions.
To get started, organizations must first ensure clear visibility of vulnerabilities and the ability to prioritize according to business impact. Ensuring that the entire organization understands the threats and risks posed to their critical business processes is also key.
Establishing formal processes including discovery, assurance, ongoing monitoring and resilience and finally, changing the view of security teams from a nuisance to a necessity is critical to shipping secure products.