Trevor Young, Chief Product Officer, Security Compass, Author at Security Compass

Mastering the 3E Framework: Elevating Your Security by Design Practices

Trevor Young, Chief Product Officer, Security Compass — Wed, 03 Apr 2024 02:28:35 +0000

In today’s digital landscape, the stakes for software security have never been higher. As cyber threats grow more sophisticated, the need for embedding security into the very fabric of software development processes becomes paramount. Security by Design is not merely a best practice; it’s a critical strategy for mitigating risk and ensuring resilience against evolving digital threats. Security Compass, leveraging extensive industry experience and insights, has developed the 3E Framework to guide organizations in seamlessly integrating security into their development lifecycle.

The Imperative of Security by Design

Security by Design transcends the traditional approach of treating security as a peripheral or a final-stage checklist item. It is about proactively identifying and addressing potential security vulnerabilities from the outset of the development process. This preemptive approach not only enhances the security posture of the final product but also optimizes development time and reduces costs associated with post-deployment fixes.

Unveiling the 3E Framework

The 3E Framework, conceptualized by Security Compass, is a comprehensive strategy comprising three fundamental steps: Educate, Embed, and Empower. This framework is designed to foster a culture where security is an integral part of the development process, not an afterthought.

1. Educate: Cultivating a Security-Minded Culture

The first pillar, Educate, underscores the importance of building a deep-seated awareness and understanding of security principles among all stakeholders involved in the development process. It involves extensive training, workshops, and continuous learning initiatives to keep the team updated on the latest security trends, threats, and best practices. Education shifts the perception of security from being a hindrance to an enabler of innovation and reliability in software development.

2. Embed: Integrating Security Expertise into Teams

Embedding security expertise directly within development teams is crucial for translating knowledge into action. The Security Champions program exemplifies this approach by designating and training selected team members to spearhead security practices within their respective teams. These champions serve as the nexus between security and development, ensuring that security considerations are woven into the development lifecycle at every stage.

Empower: Enabling Proactive Security Practices

With a well-educated workforce and embedded security experts, the final step is to empower teams to apply these principles actively. This entails integrating security requirements from the project’s inception, conducting thorough threat modeling, and ensuring continuous security testing throughout the development process. Empowerment leads to the creation of software that is secure by design, meeting both customer expectations and regulatory requirements.

Addressing Implementation Challenges

Implementing the 3E Framework is not without its challenges. Key among these is the friction between security and development teams, often stemming from differing priorities and pressures. Security requirements can also be complex and overwhelming, creating bottlenecks in manual processes that fail to scale with the demands of modern software development. Moreover, verifying security requirements often relies on cumbersome, error-prone manual methods.

To overcome these challenges, fostering a culture of collaboration is essential, leveraging automated tools to streamline security practices and integrating security considerations seamlessly into existing workflows. By doing so, organizations can bridge the gap between security and development, ensuring a harmonious and efficient process that upholds security standards without compromising development speed or innovation.

The Road Ahead

The journey towards mastering Security by Design through the 3E Framework is ongoing. It requires a commitment to continuous improvement, adaptation based on feedback, and celebrating successes along the way. By educating, embedding, and empowering, organizations can build a resilient, secure foundation for their software, ultimately fostering trust and confidence among users and stakeholders.

Security Compass remains dedicated to guiding organizations through this transformative journey, offering expertise, tools, and support to make Security by Design both attainable and effective. Embracing the 3E Framework is not just about enhancing security; it’s about securing a future where technology drives progress, free from the constraints of cyber threats.

Pathway to Secure by Design: How We Can Support Your Journey

To delve deeper into mastering Security by Design with the 3E Framework and overcoming the challenges within your organization, Security Compass is here to assist. Our team of experts can guide you through each step of the process, from education to empowerment, ensuring that security is seamlessly integrated into your development lifecycle. Contact us to learn how we can help your organization become secure by design. Together, we can build a secure future for your software today.

FAQ: Security by Design and the 3E Framework

What is Security by Design?
Security by Design is a proactive approach to software development where potential security vulnerabilities are identified and addressed from the beginning, making security an integral part of the entire development process rather than an afterthought.

Why is Security by Design important?
Security by Design is critical for mitigating risk and ensuring resilience against the increasingly sophisticated and evolving digital threats, optimizing development time, and reducing costs associated with post-deployment fixes.

What is the 3E Framework by Security Compass?
The 3E Framework is a comprehensive strategy designed by Security Compass, comprising three fundamental steps: Educate, Embed, and Empower, aimed at seamlessly integrating security into the software development lifecycle.

The post Mastering the 3E Framework: Elevating Your Security by Design Practices appeared first on Security Compass.

Security by Design and by Decree

Trevor Young, Chief Product Officer, Security Compass — Mon, 01 Apr 2024 02:52:58 +0000

Understanding the EU Cyber Resilience Act and the US Cyber Trust Mark program

Organizations that produce software – or products that include software – are under increasing pressure to ensure that software is secure. Whether that pressure is from concern about the “software supply chain” or regulatory bodies, organizations that cannot provide evidence of good software security practices face competitive and legal hurdles.

Enterprise software developers have felt this pressure for years. More recently, concern about software-driven products has risen. This is largely due to the ubiquitous nature of the Internet of Things (IoT). According to a report by Zscaler, the global number of IoT devices was 16.7 billion in 2023 and is expected to grow to over 29 billion by 2027. These devices include printers, routers, displays, payment terminals, and web cameras in business settings. In consumer markets, regulators are focused on data collection and usage of personal information collected by televisions, smart watches, mobile applications, and digital home assistants, among other applications and devices.

Security by Design has long been a goal of forward-thinking teams. That phrase is quickly transforming into Security by Decree as regulators worldwide demand more accountability from software providers. Two of those initiatives are The EU Cyber Resilience Act (CRA) and the US Cyber Trust Mark.

This blog will provide readers with:

Background on government initiatives to educate consumers on important issues.
An overview of the CRA And US Cyber Trust Mark.
An understanding of how these initiatives will affect software development processes.
Steps they can take to prepare for compliance with the programs.

Security by Decree

Software consumers have never had reliable information on security when making purchase decisions. A customer with sufficient buying power may require security audits, but consumers have been forced to rely on the product manufacturer’s goodwill.

Similar issues have been successfully addressed previously. The US Food and Drug Administration (FDA) requires nutritional labeling on food products sold in the US. The U.S. Environmental Protection Agency’s (EPA) EnergyStar labels allow consumers to compare energy efficiency on dozens of categories of devices and appliances. Unlike nutritional labeling, the EnergyStar program is voluntary and relies on consumer pressure to convince manufacturers to participate.

Comparable programs are coming for organizations that produce software to address privacy and security concerns. In 2022, the EU Commission proposed The Cyber Resilience Act that introduced security requirements for organizations producing “products with digital elements.” The following year, the US government announced the US Cyber Trust Mark, a certification and labeling program to inform consumers of cybersecurity processes, controls, and vulnerabilities products.

What is the EU Cyber Resilience Act?

The CRA was proposed in 2022 and is expected to pass in early 2024. Its goals are to ensure that “products with digital elements” (PDE) are delivered to customers with fewer vulnerabilities, require manufacturers to monitor and help customers manage the security of PDE throughout the product’s lifecycle, and inform consumers during the buying process of PDE about the security measures taken by manufacturers. Once the CRA passes, manufacturers will have 36 months to comply.

The CRA has four objectives (emphasis added):

Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle.
Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers.
Enhance the transparency of product security properties with digital elements.
Enable businesses and consumers to use products with digital elements securely.

Which Products Are Covered by the Cyber Resilience Act?

The CRA details three classes of PDE:

1. Class I
2. Class II
3. Unclassified of Default

The Default category is expected to cover 90 percent of all PDE, with Class I and Class II “critical” products comprising the remaining 10 percent.

Critical products include PDE, which is “designed to run with elevated privileges or manage privileges,” perform security functions or “a function critical to trust,” or are intended to be used in a critical environment. The Act also considers the potential results of a security failure and “the extent to which the use of products with digital elements has already caused material or non-material loss or disruption.”

Class I products include identity management solutions, browsers, password managers, anti-malware solutions, network management and configuration software, industrial automation and control systems, microprocessors / microcontrollers, and Industrial IoT devices. Class II PDE includes operating systems, hypervisors, public critical infrastructure, security solutions, smartcards/readers, routers, and modems.

While the reader should check the Act’s details in determining specific coverage, at the time of writing, the CRA did not apply to products covered by other legislation, including medical devices, motor vehicles, and military hardware. Software-as-a-service offerings are also exempt, except for some remote data processing solutions.

Security Requirements of the Cyber Resilience Act

Briefly, the CRA requires organizations to ensure cybersecurity is considered in the PDE’s planning, design, development, production, testing, and maintenance. This includes:

A cybersecurity risk assessment
Compliance with essential cybersecurity requirements and vulnerability handling requirements
Documentation of all cybersecurity risks
A Software Bill of Materials (SBOM) listing all open-source components
A conformity assessment
Continuous monitoring and reporting of new and actively exploited vulnerabilities for the life of the product

Risk Assessment

The CRA recognizes the need for security by design and default. Its “Essential Cybersecurity Requirements” are detailed in Annex I of the Act. It requires organizations to apply controls based on “an assessment of the cybersecurity risks associated with a product with digital elements” and use that “during the planning, design, development, production, delivery, and maintenance phases of the product with digital elements to minimize cybersecurity risks.”

Essential Cybersecurity Requirements

The “essential cybersecurity requirements” list outcomes, not specific controls to apply based on the security assessment. These include a requirement to deliver software with a secure by default configuration, a limited attack surface, minimization of data collected, ensure protection against unauthorized access, and protect the confidentiality and integrity of data.

Vulnerability Management

Item 2 in Annex I covers Vulnerability Management. This requires organizations to “identify and document vulnerabilities and components contained in the product.” It further requires organizations to disclose vulnerabilities once a security update is available publicly and ensure that patches and security updates are distributed “in a timely manner” for the entire expected lifecycle of the PDE.

Assessment Requirements of the Cyber Resilience Act

For Default products, manufacturers can perform self-assessments and provide an EU declaration of conformity that their products satisfy all Essential Cybersecurity and Vulnerability Management requirements.

Conformity assessment procedures for critical Class I and Class II products can require the application of a security standard and/or a third-party assessment “of the adequacy of the technical design and development of the product through examination of the technical documentation and supporting evidence.”

Penalties for Non-compliance with the Cyber Resilience Act

The CRA includes penalties for organizations that fail to comply with the essential security requirements in Annex I. These include fines of up to €15 million or up to 2.5 percent of the organization’s global annual turnover, whichever is higher.

What is the US Cyber Trust Mark?

In 2021, Executive Order (EO) 14028 directed the US National Institute of Standards and Technology (NIST) to a consumer labeling program “to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices.” This resulted in the creation of the US Cyber Trust Mark.

The US Cyber Trust Mark will be a shield logo and QR code that manufacturers can apply to products meeting established cybersecurity criteria. It is designed to provide easy guidance to help select less vulnerable products to cyber-attacks. For organizations manufacturing such products, the Cyber Trust Mark will provide competitive differentiation as a brand that values its customers’ security.

What Are the Security Requirements for the US Cyber Trust Mark?

In response to EO 14028, in February 2022, NIST published “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products.” The criteria build on the NIST IR 8259 series that provides IoT manufacturers with foundational activities for building and supporting more secure products.

THE NIST IR 9259 series defines both technical and non-technical IoT product capabilities and developer activities. NIST IR 8259A: Core Device Cybersecurity Capability Baseline provides “a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.” It delivers guidance on building cybersecurity features into IoT devices from the initial stages of development and throughout a product’s lifecycle.

NIST IR 8259B: IoT Non-Technical Supporting Capability Core Baseline provides guidance on activities that organizations should undertake to support customers’ security efforts. This includes documentation, support, and education.

Will Compliance with the US Cyber Trust Mark Standards be Mandatory?

No. The Cyber Trust Mark is a voluntary labeling program. The White House press release highlighted consumer-grade routers in addition to “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.”

When Will the US Cyber Trust Mark Start?

The program currently exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. Final rules will be published after input from key stakeholders. It is expected to be operational in late 2024.

How To Prepare

We have written about the importance of a Security by Design approach to software development. We are not alone. The US Cybersecurity and Infrastructure Security Agency (CISA) partnered with more than a dozen government agencies worldwide to endorse this approach.

What is Security by Design?

Security by Design is the philosophy of ensuring that systems are built securely from the very beginning of the development process, rather than solely relying on testing to identify vulnerabilities. Critically, security by design activities in the software development lifecycle’s planning, analysis, and design phases, before coding begins. This differentiates Security by Design from traditional application security activities that rely solely on testing tools to apply security later in the development lifecycle. These pre-coding activities include:

Threat modeling to identify inherent threats to applications based on the application’s programming language, frameworks, and deployment environment.
Developing and maintaining approved security countermeasures and controls to mitigate threats to an application and putting in place controls to ensure these countermeasures are properly implemented.
Identifying non-functional security requirements such as those called out in the EU Cyber Resilience Act, such as configuring software to have secure settings by default and checking components used by development for known vulnerabilities.
Mapping security controls to regulatory standards applicable to any application.
Training developers, QA, and other members of each project in secure development.

Practicing security by design means security is a product quality and it becomes easier to meet the requirements set out by the Cyber Resilience Act and to align with the US Cyber Trust mark.

How Security Compass Can Help

Security Compass is The Security by Design Company. We have worked since 2004 to help teams build more secure software. Our solutions enable organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows.

SD Elements

SD Elements, our developer-centric threat modeling platform, helps organizations accelerate software time to market and reduce cyber risks by automating threat modeling, secure development, and compliance. Threat modeling with SD Elements provides a proven 80 percent reduction in threat modeling time and a 92 percent reduction in vulnerabilities.

Content Library of Secure Development Practices

SD Element’s content library is curated by a team of security professionals tracking dozens of regulatory standards and frameworks. This includes an expansive collection of threats, countermeasures, and security and compliance best practices designed specifically to address the needs of developers.

Application Security Training

Our ISC2 accredited Software Security Practitioner Suites provides role-based courses enabling developers to learn foundational elements of software security and language-specific secure coding skills ranging from full-stack application development to mobile to operational security and general awareness. Our training includes Secure Product Development Practices referenced in CISA’s Secure by Design document.

Just-in-Time Training Modules

SD Elements delivers contextual learning directly to developers’ workstations to maximize retention. Brief Just in Time Training (JITT) modules are mapped to security requirements and countermeasures and delivered to developers through their existing workflow.

Enhance Your Cybersecurity Strategy: Partner with Security Compass for Compliance and Innovation

The importance of integrating robust security measures is clear in navigating the complexities of the EU Cyber Resilience Act and the US Cyber Trust Mark. As the landscape of cybersecurity evolves, staying ahead of regulatory requirements is not just necessary but a strategic advantage.

Ready to boost your organization’s cybersecurity and confidently tackle these regulations?
Security Compass is here to guide you. Our expertise and innovative solutions like SD Elements help integrate security into the software development lifecycle. We focus on embedding security deeply into your software, ensuring resilience and protecting your reputation.

Embark on a Product Tour: Uncover how SD Elements can tailor solutions to your distinct challenges.
Book a Demo: See how SD Elements can transform your software security approach.

Partner with Security Compass and turn regulatory challenges into opportunities for growth. Contact us and book your demo to start your journey towards a secure digital future.

The post Security by Design and by Decree appeared first on Security Compass.

How ChatGPT Will Affect Application Security

Trevor Young, Chief Product Officer, Security Compass — Wed, 17 May 2023 20:19:01 +0000

The beneficial capabilities of Artificial Intelligence (AI) have never been more obvious. A big part of the reason is OpenAI’s launch of ChatGPT in November 2022. ChatGPT describes itself as follows:

“ChatGPT is a large language model developed by OpenAI based on the GPT (Generative Pre-trained Transformer) architecture. It is designed to generate human-like responses to natural language inputs, making it capable of holding conversations with people on a wide range of topics. ChatGPT has been trained on vast amounts of data from the internet, books, and other sources, allowing it to understand and generate responses in many different languages and styles. It can be used for a variety of applications, including chatbots, language translation, and text completion.”

In short, users can type questions and receive answers based on ChatGPT’s enormous knowledge base. The most common use of this is to simplify a web search. Microsoft’s Bing search engine includes a feature similar to ChatGPT result as an alternative search option.

But it can also do more. Because its data set includes software development information, ChatGPT can generate source code based on a functional description of a task and debug code. While OpenAI has provided guardrails to prevent ChatGPT from creating malicious code, researchers have easily bypassed those to generate data exfiltration malware, phishing emails (including those with malicious payloads), and steganography malware.

Defensive Uses of AI

AI can also help defend networks and applications against adversaries. For example, solutions like ChatGPT provide a simple, natural language user interface to support development teams. Advanced users can extend GPT by training machine learning models with internal policies, proprietary research, cybersecurity standards and best practices, and other data to make it ‘aware’ of new threats or vulnerabilities and ways to mitigate those. This will be a great help to teams that lack the expertise of an experienced Application Security engineer.

AI is already in use in application security. Veracode recently announced they are using AI to generate remediated code for customers. Similarly, AI and machine learning can help accelerate and automate incident response. AI can consume threat intelligence much more efficiently than humans and identify patterns in the data. By training a system with indicators of attack and “run books,” AI systems can explain events in an easily understood manner and suggest actions. By observing selected responses over time, the systems can automate responses.

AI is also useful for discovering anomalies in email messages that could indicate malicious intent. Rather than relying on fixed signatures, AI allows solutions to analyze message content, domains, senders, and attachments to identify phishing emails and malicious content.

Limitations of AI in (today’s) Cybersecurity

While AI holds much promise, organizations need to address several challenges to ensure its success. These include:

Training set integrity: The term “garbage in, garbage out” is especially true in AI. Any model is only as good as the data in its training set. AI models rely on accurate and representative training data to learn patterns and make predictions. If the training set is inaccurate, the model may learn incorrect or misleading patterns, leading to reduced accuracy in its predictions.
Limited domain expertise: AI models benefit from large training sets. However, cybersecurity is constantly evolving to new and evolving threats. This means some threats may not have sufficient data for the AI model to learn from, resulting in reduced accuracy and performance. The model may struggle to generalize to new data or make incorrect predictions, leading to unreliable results. This is particularly relevant for services like chatGPT, which (as of this writing) was only trained on data available through 2021, meaning it would not be aware of any new threats or vulnerabilities discovered in the past two years.
Model “hallucinations”: AI models ChatGPT and Google Bard are “black box” models with inner workings that are not easily understandable. This can make it difficult to understand how they arrive at their decisions or to detect errors in their logic. Google CEO Sundar Pichai recently referred to this as the “hallucination problem” where the model provides incorrect information that is not part of its training set. Lack of documentation, citations, or reference material would make these models unsuitable for situations that may be subject to audit or that require an audit trail.
Models can be vulnerable to manipulation: The models have been designed to not perform some malicious tasks, such as developing ransomware attacks. Researchers have already identified methods to circumvent these controls. We should expect hackers to find methods for exploiting defensive AI as well.
Bias: AI and ChatGPT can reflect the biases present in the data used to train them, leading to discriminatory or unfair outcomes. This is particularly concerning in cybersecurity, where biases can lead to incorrect identifications of threats or vulnerabilities.
Privacy and protection of IP: In some open models, any data you provide may become part of the services training set and become available to other users. Engineers at Samsung recently exposed proprietary code and meeting notes to the model when they asked ChatGPT to debug source code from a semiconductor database. Similarly, Blockfence reported ChatGPT exposing unreported CVEs (essentially zero-day vulnerabilities) apparently researched by an unknown user.

The Future of AI in Cybersecurity

It is important to remember that ChatGPT has only been available publicly for a few months. Its adoption rate – 100 million users after just two months – makes it the “fastest growing consumer application in history.” Its reported value of $29 billion ensures that investments in generative AI will continue, leading to innovative uses of it over the coming years.

Here is what we think:

Security will improve: There are already example applications available that can help developers and security teams. These include:
- Translating text to SQL queries and programmatic commands
- Parsing unstructured text into tables
- Finding and fixing bugs in Python code
- Apps that translate the functionality of code into natural language.
Commoditized AI services: AI offerings will be ubiquitous across cloud service providers like Azure, Amazon, and Google, driving down costs for basic services.
Data sets will be key: Prepare for this now and remember the “garbage in – garbage out” paradigm. Understand the problems you are trying to solve, and the data required to train models. Organizations can train product support chatbots easily with internal documentation. Threat intelligence will require data sources with low false positives.
Beware of snake oil: Artificial intelligence, natural language processing, and machine learning are the latest buzz words. We expect to see everyone claim they are using AI. Make sure you understand “how” AI is used and how it is trained.
We will still have jobs: You will always need humans in the loop to train and validate your model. Higher order tasks will continue to require human oversight. The good news is that AI will make us all more efficient, yielding better results from data analysis at a fraction of the effort.

How to Get Started

The first step is to be sure you are clear on what you want to accomplish, then evaluate GPT models to see if they can help. Don’t buy a solution looking for a problem. That approach almost never results in success, and not everyone will have reason to incorporate GPT models in their business.

Remember, the key to success is starting with good data. We see that as a competitive advantage as we leverage AI. SD Elements provides an expansive content library of threats, countermeasures, regulatory requirements, and security and compliance best practices designed specifically to address the needs of developers. Since 2004 we have continuously improved and expanded this knowledgebase.

There is more to come – stay tuned!

The post How ChatGPT Will Affect Application Security appeared first on Security Compass.