“They were all based on third-party software and they were all stealing data. They weren’t about ransomware or virus injection. They were all aimed at stealing data. ”
Mr Doherty raised £20 million Collected by ICO British Airways’ fines for data security breaches in 2018 were significantly less than the £183m originally proposed, but were still a record breaker, as British Airways put customer data at risk. This is because the vulnerabilities exposed to
“This was third-party software. It only took 22 lines of code to kick people out who were entering their bank account details on another site, and those details were stolen.”
Doherty, like other speakers, addressed the challenges faced by CISOs, feeling that vulnerabilities in third-party code and the amount of risk in the software supply chain outweighed our collective ability to manage them. I acknowledged the issues I was having.
“As a CISO, you try to balance everything,” he said. “We are trying to balance security and compliance while reducing costs, but it becomes more complicated.
“Everything needs to go faster and we are pushing all this onto the developers who are complaining that the appsec team is preventing them from being agile. It’s the CISO’s role to decide where it lands.”
The challenges are exacerbated by the speed of technological change.
“We’re used to continuous releases, but now people are using AI. Intel, Google, etc. are now setting up big new teams focused primarily on AI development. .
“Another common theme is the increasing use of open source. There are also deployments that need to be kept on-premises for security reasons.
“Now let’s talk about Devsecops and Checkmarx.”
The old paradigm of shifting left and right no longer applies. Threats are everywhere at once. And so is the solution.
Doherty encouraged the audience to consider the fact that resolving software security issues after the event effectively forces companies to choose between security and productivity.
“Today, we provide tools that enable developers to understand their code and find out what vulnerabilities they have and what vulnerabilities exist in insecure open source.”
“The CISO needs to be able to understand exactly what needs to be fixed. Why is that important? You don’t have to do both.
“Because you can choose depending on the application, prioritization, threat modeling, etc. will help you decide where to go by understanding how your application behaves, its impact and where it is operating. ”
https://www.computing.co.uk/event/4115109/shift-everywhere-modern-application-security Shift anywhere for modern application security