Achieving Secure Defence in Depth – Rahim Jina, COO/Co-Founder
Achieving Secure Defence in Depth, a webinar organised by Infosecurity magazine, was an informative session of expert insight into the best practices to achieve a truly comprehensive security standpoint.
The one and only Dan Raywood (shout out to him for featuring among the 100 top influencers at this year’s RSA, according to a list published by Onalytica!) chaired the conversation, and representatives from Oracle and Jardine Software were also present to provide valuable industry knowledge on how to best create and maintain in-depth security. My intervention focussed around the two areas where businesses and organisations should focus in terms of cybersecurity: creation and nurturing.
Creating a secure environment requires building a solid foundation, and this can be achieved by looking at Secure Development Life Cycle (SDLC), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Toolchain Integration.
A SDLC simply means that security is an integral part of the entire development process and that it isn’t an addition, bolstered on at the end of the process. Designing security into apps and systems is essential not only to reduce subsequent costs of fixing vulnerabilities that could have been prevented at development stage but also to increase the efficiency of security measures which are native to the app itself, rather than an add-on.
Part of the SDLC, SAST, such as source code analysis, gives enterprises the flexibility to perform security tests in all types of SDLC methodologies. Both paid and open source tools are available to perform this kind of tests, DAST, or Runtime testing, is also an integral part of secure development: while SAST analyses the application from the inside, DAST examines the security of an application while it’s running, from the outside.
Toolchain integration takes all these security measures to the next gear and allows to match defences with how you produce code. No single tool can guarantee to cover efficiently the multidiscipline nature of security operations, but nowadays the customers are spoilt for choice of incredibly effective tools to integrate into their security systems, which can be tailored and specific to the business’ needs.
Implementing security measures is essential, but it is also important to gauge how effective these are. For this reason, metrics of efficacy should be kept about all the assets, systems and apps – it is of no use to spend on security measures whose efficiency can’t be proven and doesn’t add value to the overall security standpoint.
The nurturing side of things, instead, focuses on the maintenance and protection of these building blocks. In fact, the security of a system inevitably decreases over time, which is why security should be a continuous effort, rather than a one-time investment.
Visibility is one of the most important aspects of nurturing your security standpoint: you can’t protect what you didn’t know was there. Enterprises should have an asset management system which highlights what in their network and infrastructures need protecting and should aim to have a complete picture of the security posture.
Moreover, full-stack Vulnerability Management provides a much more reliable and consistent protection than ad hoc, infrequent tests. Ongoing assessment and risk mapping, and assessment of the risks that each vulnerability poses on application and infrastructure can inform remediation prioritisation and incredibly reduce the risk of a breach.
For more information on the importance of integrated, platform-based approaches to better application security, as well as ways to apply modern strategies to improve your current security posture please visit edgescan.com.
This webinar is available to view at www.infosecurity-magazine.com, Rahim’s presentation is the first one and runs for about 25 minutes.