Patrick Doherty from Checkmarx spoke on Day 1 of the Cybersecurity Festival about how to address the challenges of modern AppSec
Patrick Doherty of Checkmarx began his session with the observation that recent attacks on companies such as T-Mobile had two key elements in common.
"They were all based on third party software and they all stole data. They weren't about ransomware or injecting viruses. They were all intent on stealing data."
Doherty cited the £20 million levied by the ICO on British Airways for a data security breach which occurred in 2018. Whilst the fine was considerably less than the £183 million originally proposed, it remains record breaking, and was so because British Airways failed to resolve the vulnerabilities which put customer data at risk.
"This was third-party software. 22 lines of code were all that was required to push people out when they were entering their bank details to another site which stole those details."
It feels as if the volume of vulnerabilities in third-party code and the risks lurking in the software supply chain are outpacing our collective ability to manage them, and in common with other speakers, Doherty acknowledged the challenge facing CISOs.
"As CISOs you're trying to balance everything," he said. "You're trying to balance security and compliance whilst also reducing costs but with more complexity.
"Everything has to be quicker and we're pushing all of this down onto our developers who then complain that appsec teams are preventing them from being agile. It's the role of the CISO to decide where all this should land."
The pace of technological change exacerbates the challenge.
"We're used to continuous releases but now people are using AI. Intel and Google and the rest are now creating big new teams, which are focused primarily on AI development.
"Another common theme is increasing open-source usage. We have multiple deployments. We have SaaS based deployments, we have hybrid deployments with some in the cloud and some on prem. We have deployments where we have to keep it on prem for security reasons.
"That brings us to Devsecops and Checkmarx."
Shift Everywhere
The old paradigms of shifting left and right are no longer applicable. The threat is everywhere - all at once. And so is the solution.
Doherty invited the audience to consider the fact that resolving security issues in software after the event effectively forces businesses to choose between security and productivity.
"We have the tools today, which will allow your developers to understand their code, know which vulnerabilities are in there, be that coding vulnerabilities, be that insecure open-source."
"We need to help the CISO understand exactly what needs fixing. Why is that important? We need to go deep. We need to go wide. But we don't always need to do both.
"We can choose depending on the application so understanding what your application does, the impact, where it's working. triaging it, threat modelling etc. can help you decide where you need to go."
