Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/7/2020
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

3 Ways Companies are Working on Security by Design

Execs from top financial organizations and other companies share insights on building a security culture.

As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.

It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of security's role in digital transformation.  

To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 2020 Cybersecurity Summit that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security—for customers, internal users, technologists, and security personnel.

Here's what the speakers there shared on how companies today are working on security by design:

Related Content:

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

Building Usable Software Securely

One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firm's virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.  

"One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes," Gopalkrishnan explained. 

An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Erica's development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use. 

This is huge in an era of using digital information for personalization and tailored services. 

"Some could argue a lot of, wow, wouldn't it be delightful if you could use all the data available to you, and when you be able to create a bigger aha moment for a customer, if you did that, and the answer is maybe, but we don't get to do that," Gopalkrishnan said. "And that's not the role that we play. When we think about responsibility in software development and responsibility as a bank to deliver to our customers, everything needs to be transparent." 

Making Security Features Frictionless

Strengthening security functionality while removing friction from the user experience is a huge part of security by design. While security transparency is important, the goal should be to abstract security actions away from the users where possible, said Roman Shapiro, director of information security for Nasdaq.

"Candidly, I think the industry is playing a little bit of catch-up in this regard, but we've learned to look closely at usage patterns — where you are logging in from, how you are logging in, and so on — taking sensible steps behind the scenes to give you the assurance you need that the session you're establishing is one you have confidence in," Shapiro says.

Multi-factor authentication is one of the biggest friction points for users, agreed Steve Clark, managing director and business unit information security officer for Bank of America. Clark explained that AI analytics of user patterns for the sake of authentication and authorization is increasingly going to become prevalent to reduce friction on that front, both in finance and in other industries.

Improving the Usability of Security Data

As security teams monitor how users are interacting with software assets and data on a daily basis, security by design will be crucial for setting security operators up for success as well. This means that teams are thinking closely about how the systems log user activity, what data is pulled from them and made available to SOC analysts, and how it is contextualized and enriched.

"What's difficult to do is pulling out the signal from the noise," explained Brian Vecci, field CTO for Varonis. "The next few years are going to be not necessarily aggregating more log information or more information. It's going to be doing two things, creating more usable profiling that combines different kinds of information, not just logs, but other metadata that we have about users' data, the devices that are being used, where people are coming from, the services that they're using, the access and building really useful profiles about what's normal to identify patterns of misbehavior."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
abavosa1
50%
50%
abavosa1,
User Rank: Author
10/21/2020 | 9:09:51 PM
making security part of the app lifecycle requires automation
as a mobile app security practitioner, I strongly agree with many of the arguments put forth in this article. To truly build secure mobile apps, security needs to be 'baked-in' to the fabric of the app lifecycle....like DNA. 

and the only way to do that is by automating mobile app security and eliminating as much manual coding as possible. 

Best, 

Alan Bavosa 

VP Security Products, Appdome 

[email protected] 

 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.