More than 250 companies have signed the “Secure-by-Design” (SBD) pledge from the Cybersecurity and Infrastructure Security Agency (CISA). By committing to the voluntary pledge, software manufacturers are promising to increase multi-factor authentication (MFA) for products; better enable customers to do their own patching; reduce default passwords; and decrease vulnerabilities, among additional proactive, protective practices.
By embedding cyber defense from the outset of product development and system architecture, SBD is intended to transform cybersecurity from an afterthought to an essential, core element of design. Companies that fail to adopt this approach run the risk of falling behind in their security and compliance maturity, while losing consumer trust. They also could run into some very expensive problems, as the average cost of a data breach has increased to $4.88 million – up from $4.45 million in 2023.
Co-founder & CTO at Secure Code Warrior.
Implementing an SBD strategy
So how do organizations effectively implement an SBD strategy? They can start by looking at the financial services sector, which is often more willing to invest in innovative approaches to security upskilling and additional preventative measures than other industries. These institutions are taking such steps because, frankly, they have to, given the immense challenges they face:
Increasing – and more costly – threats
If history has taught us anything, it’s that cyber criminals always follow the money. Financial organizations are experiencing 1,115 breaches a year, which ranks #4 among all verticals.
Regulatory pressures
The Payment Card Industry Data Security Standard (PCI DSS) and the European Union’s General Data Protection Regulation (GDPR) require financial organizations to achieve higher levels of governance and security. As part of the ongoing compliance process, the industry’s developers must bring verified skills to properly configure sensitive databases, payment gateways and portals.
The critical – and fragile – state of consumer trust
Financial service firms’ customers expect no less than the absolute fortification of their personal data and transactions. If an institution suffers an attack that compromises any of this, it runs the risk of losing consumer trust with potentially devastating market/revenue consequences – if not extinction.
SBD developer readiness
Fortunately in our research, we have found that the financial industry is doing an exceptional job of positioning for SBD developer readiness. There is no quality that is more “make or break” in significance than the upgrading of the skills and tools of the people who innovate, develop and disseminate code at the heart of our digital systems.
Indeed, in taking a closer look at what these companies are doing, we get a better sense of the level of developer risk management this industry is pursuing– and can help lift other industries as they “shift left” in seeking to make good on the CISA pledge.
Investments in upskilling
On average, in organizations, there are less than four software security group (SSG) specialists for every 100 developers. Given how few of these specialists are on board, it’s no wonder that code-level vulnerabilities continue to plague most verticals.
This speaks to the urgency of developer upskilling, with a focus on flexible, dynamic training programs that align learning within the context of “real life” threats – a “learning by doing” approach. The financial sector is considered an early adopter of these and other initiatives aimed at building security into the software development life cycle (SDLC), and has achieved high maturity rates here as a result.
Benchmarking
To ensure upskilling initiatives are working, organizations must establish baselines and benchmarks to assess whether SBD is recognized as an indispensable part of their DNA. Such benchmarking should cover the state of developers’ security skills, awareness and the measurement of their success profile against that of other industry members. With this, these leaders will truly know if their teams have earned a “license to code,” and that the inherent risk of developers with low security skills is being managed and effectively improved.
Proactive threat modeling and testing
Financial services providers are quite good at regularly conducting threat modeling to address risks sooner rather than later – preferably before an attack ever has a chance to strike. The industry also relies upon strict code reviews, testing and audits to reveal vulnerabilities and additional areas of concern.
By following financial institutions’ lead in establishing a baseline for developer risk management activities and implementing the described best practices, organizations across the board will cultivate a winning developer-driven security culture. This environment will prepare developers to implement robust, secure code from start to finish, to the point in which this emerges as a habit they can perform at speed.
That’s when companies of all kinds will demonstrate they’re doing far more than simply signing CISA’s pledge – they’re delivering on its promise to make SBD a universal norm by acting now to defend the future.
We rate the best school coding platform.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
