Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:30 PM
Connect Directly

3 Ways Companies are Working on Security by Design

Execs from top financial organizations and other companies share insights on building a security culture.

As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.

It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of security's role in digital transformation.  

To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 2020 Cybersecurity Summit that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security—for customers, internal users, technologists, and security personnel.

Here's what the speakers there shared on how companies today are working on security by design:

Related Content:

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

Building Usable Software Securely

One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firm's virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.  

"One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes," Gopalkrishnan explained. 

An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Erica's development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use. 

This is huge in an era of using digital information for personalization and tailored services. 

"Some could argue a lot of, wow, wouldn't it be delightful if you could use all the data available to you, and when you be able to create a bigger aha moment for a customer, if you did that, and the answer is maybe, but we don't get to do that," Gopalkrishnan said. "And that's not the role that we play. When we think about responsibility in software development and responsibility as a bank to deliver to our customers, everything needs to be transparent." 

Making Security Features Frictionless

Strengthening security functionality while removing friction from the user experience is a huge part of security by design. While security transparency is important, the goal should be to abstract security actions away from the users where possible, said Roman Shapiro, director of information security for Nasdaq.

"Candidly, I think the industry is playing a little bit of catch-up in this regard, but we've learned to look closely at usage patterns — where you are logging in from, how you are logging in, and so on — taking sensible steps behind the scenes to give you the assurance you need that the session you're establishing is one you have confidence in," Shapiro says.

Multi-factor authentication is one of the biggest friction points for users, agreed Steve Clark, managing director and business unit information security officer for Bank of America. Clark explained that AI analytics of user patterns for the sake of authentication and authorization is increasingly going to become prevalent to reduce friction on that front, both in finance and in other industries.

Improving the Usability of Security Data

As security teams monitor how users are interacting with software assets and data on a daily basis, security by design will be crucial for setting security operators up for success as well. This means that teams are thinking closely about how the systems log user activity, what data is pulled from them and made available to SOC analysts, and how it is contextualized and enriched.

"What's difficult to do is pulling out the signal from the noise," explained Brian Vecci, field CTO for Varonis. "The next few years are going to be not necessarily aggregating more log information or more information. It's going to be doing two things, creating more usable profiling that combines different kinds of information, not just logs, but other metadata that we have about users' data, the devices that are being used, where people are coming from, the services that they're using, the access and building really useful profiles about what's normal to identify patterns of misbehavior."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/21/2020 | 9:09:51 PM
making security part of the app lifecycle requires automation
as a mobile app security practitioner, I strongly agree with many of the arguments put forth in this article. To truly build secure mobile apps, security needs to be 'baked-in' to the fabric of the app lifecycle....like DNA. 

and the only way to do that is by automating mobile app security and eliminating as much manual coding as possible. 


Alan Bavosa 

VP Security Products, Appdome 

[email protected] 

Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.