Shift everywhere for modern application security

Penny Horwood
clock • 2 min read
Shift everywhere for modern application security

Patrick Doherty from Checkmarx spoke on Day 1 of the Cybersecurity Festival about how to address the challenges of modern AppSec

Patrick Doherty of Checkmarx began his session with the observation that recent attacks on companies such as T-Mobile had two key elements in common.

"They were all based on third party software and they all stole data. They weren't about ransomware or injecting viruses. They were all intent on stealing data."

Doherty cited the £20 million levied by the ICO on British Airways for a data security breach which occurred in 2018. Whilst the fine was considerably less than the £183 million originally proposed, it remains record breaking, and was so because British Airways failed to resolve the vulnerabilities which put customer data at risk.

"This was third-party software. 22 lines of code were all that was required to push people out when they were entering their bank details to another site which stole those details."

It feels as if the volume of vulnerabilities in third-party code and the risks lurking in the software supply chain are outpacing our collective ability to manage them, and in common with other speakers, Doherty acknowledged the challenge facing CISOs.

"As CISOs you're trying to balance everything," he said. "You're trying to balance security and compliance whilst also reducing costs but with more complexity.

"Everything has to be quicker and we're pushing all of this down onto our developers who then complain that appsec teams are preventing them from being agile. It's the role of the CISO to decide where all this should land."

The pace of technological change exacerbates the challenge.

"We're used to continuous releases but now people are using AI. Intel and Google and the rest are now creating big new teams, which are focused primarily on AI development.

"Another common theme is increasing open-source usage. We have multiple deployments. We have SaaS based deployments, we have hybrid deployments with some in the cloud and some on prem. We have deployments where we have to keep it on prem for security reasons.

"That brings us to Devsecops and Checkmarx."

Shift Everywhere

The old paradigms of shifting left and right are no longer applicable. The threat is everywhere - all at once. And so is the solution.

Doherty invited the audience to consider the fact that resolving security issues in software after the event effectively forces businesses to choose between security and productivity.

"We have the tools today, which will allow your developers to understand their code, know which vulnerabilities are in there, be that coding vulnerabilities, be that insecure open-source."

"We need to help the CISO understand exactly what needs fixing. Why is that important? We need to go deep. We need to go wide. But we don't always need to do both.

"We can choose depending on the application so understanding what your application does, the impact, where it's working. triaging it, threat modelling etc. can help you decide where you need to go."

You may also like
Maritime security: 'Hacking a ship is just like hacking a Tesla but bigger'

Security

Cyberattacks on shipping up 400-500% in five years, Lloyds List Intelligence

clock 16 May 2024 • 4 min read
IT Essentials: Curtain call for irresponsible cyber

Management

With great pay comes great responsibility

clock 13 May 2024 • 2 min read
CISOs call to ditch the 'stigma of blame' in cybersecurity

Security

Ditching ‘Humans are the weakest link’

clock 13 May 2024 • 2 min read
Penny Horwood
Author spotlight

Penny Horwood

Associate Editor focusing on diversity in tech and sustainability content.

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

A relatively quiet month

John Leonard
clock 12 June 2024 • 2 min read
Cloud encryption rates are disastrously low, research

Cloud encryption rates are disastrously low, research

Come on in, the door's open

John Leonard
clock 05 June 2024 • 2 min read
Remote working: We're on top of defending WFH, say IT leaders

Remote working: We're on top of defending WFH, say IT leaders

'Security has been moved to devices rather than offices meaning all have the same protections'

John Leonard
clock 31 May 2024 • 3 min read