Shift everywhere for modern application security

Penny Horwood
clock • 2 min read
Shift everywhere for modern application security

Patrick Doherty from Checkmarx spoke on Day 1 of the Cybersecurity Festival about how to address the challenges of modern AppSec

Patrick Doherty of Checkmarx began his session with the observation that recent attacks on companies such as T-Mobile had two key elements in common.

"They were all based on third party software and they all stole data. They weren't about ransomware or injecting viruses. They were all intent on stealing data."

Doherty cited the £20 million levied by the ICO on British Airways for a data security breach which occurred in 2018. Whilst the fine was considerably less than the £183 million originally proposed, it remains record breaking, and was so because British Airways failed to resolve the vulnerabilities which put customer data at risk.

"This was third-party software. 22 lines of code were all that was required to push people out when they were entering their bank details to another site which stole those details."

It feels as if the volume of vulnerabilities in third-party code and the risks lurking in the software supply chain are outpacing our collective ability to manage them, and in common with other speakers, Doherty acknowledged the challenge facing CISOs.

"As CISOs you're trying to balance everything," he said. "You're trying to balance security and compliance whilst also reducing costs but with more complexity.

"Everything has to be quicker and we're pushing all of this down onto our developers who then complain that appsec teams are preventing them from being agile. It's the role of the CISO to decide where all this should land."

The pace of technological change exacerbates the challenge.

"We're used to continuous releases but now people are using AI. Intel and Google and the rest are now creating big new teams, which are focused primarily on AI development.

"Another common theme is increasing open-source usage. We have multiple deployments. We have SaaS based deployments, we have hybrid deployments with some in the cloud and some on prem. We have deployments where we have to keep it on prem for security reasons.

"That brings us to Devsecops and Checkmarx."

Shift Everywhere

The old paradigms of shifting left and right are no longer applicable. The threat is everywhere - all at once. And so is the solution.

Doherty invited the audience to consider the fact that resolving security issues in software after the event effectively forces businesses to choose between security and productivity.

"We have the tools today, which will allow your developers to understand their code, know which vulnerabilities are in there, be that coding vulnerabilities, be that insecure open-source."

"We need to help the CISO understand exactly what needs fixing. Why is that important? We need to go deep. We need to go wide. But we don't always need to do both.

"We can choose depending on the application so understanding what your application does, the impact, where it's working. triaging it, threat modelling etc. can help you decide where you need to go."

You may also like
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Security

Sarah Armstrong-Smith will talk AI in security

clock 19 February 2024 • 1 min read
Securing tomorrow: Register now for the Cybersecurity Festival 2024

Security

A celebration of security innovation

clock 15 January 2024 • 2 min read
Appsec is a moving target but risk can be mitigated

Security Technology

Computing gathered UK cybersecurity and infrastructure leaders together to examine the extent of appsec challenges and discuss different approaches to risk.

clock 14 June 2023 • 5 min read
Penny Horwood
Author spotlight

Penny Horwood

Associate Editor focusing on diversity in tech and sustainability content.

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

IT Essentials: LockBit and load

IT Essentials: LockBit and load

They fought the law, and the law won - for now

Tom Allen
clock 26 February 2024 • 2 min read
Law enforcement takes down LockBit - updated

Law enforcement takes down LockBit - updated

NCA among the groups under 'Operation Cronos'

Tom Allen
clock 20 February 2024 • 2 min read
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Microsoft's chief security advisor joins Cybersecurity Festival 2024

Sarah Armstrong-Smith will talk AI in security

Tom Allen
clock 19 February 2024 • 1 min read