European legislation calls for Security by Design approaches in ICT products.
The European Commission recently released a range of documents to increase cybersecurity across the union. Each of these recognizes the key role industry will need to play. At CA Technologies, we strongly agree and welcome these proposals. We specifically believe a focus on cybersecurity-by-design will further increase security as every business or government is becoming a modern software factory.
The Modern Software Factory: Security at its core
Every business is becoming software-driven. Industries leverage connected technologies and applications to drive competitive advantage in the marketplace. Companies must act with speed to deliver quality user experiences for their customers. However, for many companies, security is often an afterthought in this accelerated development paradigm. As a result, companies across all sectors regularly release applications with significant numbers of vulnerabilities, exposing them to cyber-attacks.
According to research by CA Technologies Veracode, three out of every four applications scanned had at least one vulnerability, and 12 percent of applications had a high or very high severity vulnerability. Given these findings, it should come as no surprise that approximately 90 percent of cyber-attacks exploit vulnerabilities in applications.
In order to build trust in these digital products and services, companies must integrate security throughout their development processes, rather than bolting it on at the end. The discipline of integrating security throughout the development and testing cycle is known as DevSecOps, or Development-Security-Operations. By “shifting security left,” companies can significantly reduce the security risks and long-term costs of development. Fortunately, there are a range of tools and best practices available to developers to help them do this.
The importance of Security by Design
The European proposals call on ENISA (European Network and Information Security Agency) to drive the development of an EU certification Framework (the “Framework”), aimed at building market confidence in cybersecurity products, services and processes. The proposals note that secure development methods could be considered under the Framework, in essence promoting a “shift left approach”.
A big focus of the Framework will be fleshing out the responsibilities of different parties involved, including device and software manufacturers. To that end, there is also a strong focus on the role of security by design and a joint European Commission/industry initiative to define a duty of care principle.
CA Technologies supports the Commission’s proposal to develop a Framework and focus on security by design, if developed under the principles of active stakeholder engagement, flexibility, and global approaches.
Basic secure development building blocks
CA Technologies believes that there are basic secure development building blocks that can be applied across the economy, and that additional blocks, practices and tools can be added depending on a risk basis. Therefore, we believe there is a strong need for stakeholder engagement, to ensure that different security and technology perspectives and experiences are considered. Further, it is important that any policies allow for flexible practices in achieving desired security by design outcomes. Security is a cross-disciplinary function. Given the range of assets, threats, priorities, risk tolerances, and resources, it is important to avoid a one-size-fits-all approach.
Finally, the Commission and ENISA should support and leverage international, consensus-driven standards, such as the ongoing work on the ISO/IEC 27034 standard for application security, and the PCI Data Security Standard. Cybersecurity is a global phenomenon. Alignment with international, consensus-driven standards and best practices allow providers to focus resources on innovative security solutions that can scale for the global market rather than focusing on distinct compliance requirements in different markets.