Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:30 PM
Connect Directly

3 Ways Companies are Working on Security by Design

Execs from top financial organizations and other companies share insights on building a security culture.

As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.

It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of security's role in digital transformation.  

To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 2020 Cybersecurity Summit that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security—for customers, internal users, technologists, and security personnel.

Here's what the speakers there shared on how companies today are working on security by design:

Related Content:

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

Building Usable Software Securely

One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firm's virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.  

"One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes," Gopalkrishnan explained. 

An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Erica's development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use. 

This is huge in an era of using digital information for personalization and tailored services. 

"Some could argue a lot of, wow, wouldn't it be delightful if you could use all the data available to you, and when you be able to create a bigger aha moment for a customer, if you did that, and the answer is maybe, but we don't get to do that," Gopalkrishnan said. "And that's not the role that we play. When we think about responsibility in software development and responsibility as a bank to deliver to our customers, everything needs to be transparent." 

Making Security Features Frictionless

Strengthening security functionality while removing friction from the user experience is a huge part of security by design. While security transparency is important, the goal should be to abstract security actions away from the users where possible, said Roman Shapiro, director of information security for Nasdaq.

"Candidly, I think the industry is playing a little bit of catch-up in this regard, but we've learned to look closely at usage patterns — where you are logging in from, how you are logging in, and so on — taking sensible steps behind the scenes to give you the assurance you need that the session you're establishing is one you have confidence in," Shapiro says.

Multi-factor authentication is one of the biggest friction points for users, agreed Steve Clark, managing director and business unit information security officer for Bank of America. Clark explained that AI analytics of user patterns for the sake of authentication and authorization is increasingly going to become prevalent to reduce friction on that front, both in finance and in other industries.

Improving the Usability of Security Data

As security teams monitor how users are interacting with software assets and data on a daily basis, security by design will be crucial for setting security operators up for success as well. This means that teams are thinking closely about how the systems log user activity, what data is pulled from them and made available to SOC analysts, and how it is contextualized and enriched.

"What's difficult to do is pulling out the signal from the noise," explained Brian Vecci, field CTO for Varonis. "The next few years are going to be not necessarily aggregating more log information or more information. It's going to be doing two things, creating more usable profiling that combines different kinds of information, not just logs, but other metadata that we have about users' data, the devices that are being used, where people are coming from, the services that they're using, the access and building really useful profiles about what's normal to identify patterns of misbehavior."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/21/2020 | 9:09:51 PM
making security part of the app lifecycle requires automation
as a mobile app security practitioner, I strongly agree with many of the arguments put forth in this article. To truly build secure mobile apps, security needs to be 'baked-in' to the fabric of the app lifecycle....like DNA. 

and the only way to do that is by automating mobile app security and eliminating as much manual coding as possible. 


Alan Bavosa 

VP Security Products, Appdome 

[email protected] 

NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.