preloader

Every business needs to shift left on security

blog-image

Five years ago, at the Microsoft Convergence 2015 Conference, Satya Nadella said:

“Every business will become a software business, build applications, use advanced analytics and provide SaaS services.”

Remarkably the quote holds full value as of today and years to come.

Picture Tesla, they manufacture cars, although some might say batteries on wheels. However, their market capitalization is almost as much as General Motors and Ford combined. How can it be? Any of those car manufacturers assemble way more cars than Tesla, not to mention units sold. The key is to recognize what sets Tesla apart, and no, it is not the electric engine, it is the software. We do not know how many lines of code are behind one of their cars, but we are discussing hundreds of millions.

We could continue to review the impact of software in every industry. I am sure you have seen many times that presentation where the largest taxi company (uber) does not own a single car, or the largest accommodation company (Airbnb) does not run any hotel, and so on.

So with software being the centrepiece of any company, there are many questions to address from envisioning the transformation to hiring and retaining the necessary talent. To follow with many more, like choosing the technology stack. There would be many valid answers to those challenges, and the answers will vary from company to company, but there is a commonality: security.

The software needs to be secure; otherwise all your reputation will be at risk whether it is someone hacking a car, to avoiding payment at the retailer to the privacy of personally identifiable data.

How do we add security to our software? Wrong, very wrong question. As any answer would mean to add a patch, and no one likes to walk around with spots. Security needs to be built-in from the beginning or left if you draw a time axis with the software development cycle. It is not just an etiquette thing; it is money saving. According to IBM, fixing a bug in the design phase costs about 80 USD, while doing so in the quality assurance phase will raise it to 960 USD, only skyrocketing it to 7,600 USD if found on production. Reputation costs or compliance fines can take you down.

Recently I had the opportunity to take a secure coding training. It helped me familiarise with SQL Injections, Parameters tampering, Insecure Direct Object References and more. The bottom line was clear, while it is essential to be aware, there are only so many risks. We need solutions to help us assess the secureness of our code and equally relevant the pieces that someone else might have written for us in the past, or third parties elements we do integrate, like libraries.

Fortunately, there are solutions like Hdiv Security that promote that shift-left approach, with a complete solution covering security bugs as well as business logic flaws. The suite allows you to perform Interactive Application Security Testing, or IAST, that is real-time feedback to the developers to help them put the risk in context with the source code. Traditionally penetration testers used to claim that there was an issue, as they exposed it, but then it was a hard job to find the root cause. Equipping your developers with this solution will slash costs while increasing the security.

Hdiv Security also provides Runtime Application Self Protection or RASP. A mechanism to help the applications offer a security lawyer from within. Traditionally approaches with Firewalls, or specialized Web Application Firewalls, WAF, tried to guess what was wrong leading to delays in execution, and many false positives as they lacked the execution context and could only guess the intend.

Their solutions are helping extremely demanding environments like healthcare, finance and government. Drop by their web site and request a free trial.