Intelligent CISO Issue 23 | Page 43

E R T N P X E INIO OP need software to be deployable, and increasingly, not to have to worry about how that will happen. ‘Infrastructure-as-code’ takes care of that, by ensuring that the configuration of how software gets run, just happens without humans needing to execute manual steps to bring services up. This principle can apply to anything, including application security. This year, performant DevOps teams will ensure that Security-as-code, is a design feature. Security tests will be written into the configuration of how software is checked (and increasingly patched) before deployment will be standard. Supply chain security needs to be brought into the next decade a short space of time will be selected as a priority. Typically, this will mean that results are expected back within 10 minutes and accuracy is paramount. Noisy, lengthy security tests will either not go into pipelines or will be kicked out of the automation process. Cloud-native technologies will become the de facto choice for development teams – organisations will need to prioritise security There has never been a better time to work in software than now. Developers are presented with an abundance of choice when designing and creating software applications. Systems of the past were designed as monoliths. Having core logic tightly bound to a huge blob of software is today seen as an anti-pattern for stability and development velocity. www.intelligentciso.com | Issue 23 Overwhelmingly, developers are choosing architectures that allow failure to happen in one part of the system, without having an impact on the remaining system. Microservices, containers, orchestrators, services meshes and serverless computing are all enabling technologies that are allowing developers to achieve greater velocity. This, however, brings a security challenge. A 2019 survey found that 35% of respondents had a lack of understanding of how to deal with the attack vectors specifically relating to cloud-native applications. Interestingly, 33% admitted that their development teams don’t involve cybersecurity experts for fear of being slowed down. ‘Everything-as-code’ (EAC) will include security Everything needs to be code, but that’s not always the case today. We Supply chains are becoming more complex and with this complexity comes more opportunity for cybercriminals to cause chaos. Research shows that third-party software has more vulnerabilities than internally developed software. The people that care about the security of a particular software are more often than not the ones using it, not the ones creating it. With developers releasing updates far more frequently, as well as leveraging different open source code or software from multiple parties, organisations need to ensure they have the full picture of the code they are using at all times. Third-party penetration tests no longer work for the modern development cycle – which is now often daily rather than every few months. It is the organisation’s job to make sure certain standards are upheld so security can be ensured throughout the supply chain in real-time. The focus this year should be on making security part of an organisation’s competitive advantage and this should start with the supply chain. u 43