The market for software has outrun the industry’s ability to deliver secure code. Demand for frequent releases with ever more functions creates larger attack surfaces, growing numbers of vulnerabilities and the need for updated approaches not just to software development but also to the enterprise itself.

“The big thing, I really think, is speed versus security,” David Dalling, global vice president for cyber strategy at Splunk, said during Federal News Network’s Cyber Leaders Exchange 2024. “We’ve gotten to this market where we need something new every year — a new version has to come out every year. It is really hard to make sure that we’re making it secure by design and secure by default.”

Kevin E. Greene, public sector chief technology officer at OpenText, added that the software industry may need to revise its approach to secure development. Rather than push only for perfectly safe software, which may not be possible, the industry should also push for resiliency.

For software developers, Greene said, “the intended outcome, to me, is improving the quality of software, improving the overall security of software, but also making software more resilient to the attacks we’re seeing.”

That requires more than simply testing code.

“It’s really about also going through and validating what logs do I need out of this code, so that, if there is a breach, I will be able to figure out what’s going on,” Dalling said. “We can’t completely prevent attacks, but we can design software in a way that we have an ability to respond and the attackers have a much harder ability to deploy.”

Bringing user behavioral data, application programming interface and log data into an open cybersecurity framework, Dalling added, will help system designers improve testing, security interoperability and compliance.

“It really comes down to, when we are building software, bringing in practitioners and asking what software is supposed to do,” he said. “This is how it acts. This is how it’s going to be working with other systems.”

One strategy for bending the security curve involves limiting the urge for ever more features and functions. As an analogy, Greene quoted the late rapper Notorious B.I.G.: “More money, more problems.”

“More code means more complexity,” he said. “More complexity means more problems, more vulnerabilities. When you have more software, software systems being larger, you increase the attack surface.”

Stay ahead of threats from the coding onward

Organizations that code or acquire software can also reference work at the National Institute of Standards and Technology. Dalling pointed to the Open Security Controls Assessment Language (OSCAL) as a promising tool for helping ensure secure software.

NIST is working with industry on OSCAL, a way of providing information about code that itself comes in a machine-readable format. Dalling said OSCAL data can load into the agency’s security information and event management system for analysis and correlation with other security-related data.

“This really works and helps [evaluators] test code to make sure it is compliant with the controls,” Dalling said. “We need to get more technically based assessments, and less paper-based control assessments.”

Even when development groups have fully embraced secure coding techniques, no software is 100% free of vulnerabilities.

“I don’t think there’s a such thing as a secure software,” Greene said. “All software has vulnerabilities or has common weakness enumerations, CWEs, that would eventually be vulnerabilities.”

This is why, as agencies pursue secure software and development practices, they must also think in terms of resiliency, he said.

Resiliency means “we have to be able to anticipate, adapt and evolve our cyber capabilities,” Greene said. “That really requires taking a threat informed defense approach, leveraging things like threat intelligence and understanding what our threat profile is, so we can build the right protection mechanisms.”

Full visibility into the agency’s attack surface should also accompany the safe software drive, Dalling said.

“Understanding the environment, what are the assets that you have, and what that attack surface is, is really important,” he said. Also important: regular penetration testing of important assets and developing response plans before something happens.

“When we’re using pen testing, we’re actually breaking into systems,” he said. “We’re actually impacting what’s going on in a nonproduction way.”

That, in turn, will prompt questions, Dalling said. “Then going back and saying, ‘This is what happened. How are we going to respond to this? What is that remediation effort? How long is it going to take?’ ”

Dalling added that tabletop exercises don’t yield as much insight as penetration tests. In one instance, a live test showed that the data associated with a system would take weeks to recover.

Still another ongoing requirement is continuous monitoring, something agencies are supposed to do in the first place. Operationalizing it, rather than doing it piecemeal, will help agencies find gaps in cyber defenses before malicious hackers do.

Greene said that agencies can use software bills of material to pinpoint areas of potential vulnerability they should be sure to monitor.

Ultimately, agencies must move from a reactive to a proactive mode by anticipating breaches and developing playbooks for what happens when one occurs, Dalling and Greene said.

“We are very retroactive,” Dalling said. “We say we’re proactive by having automated detection and automated response, but that’s still retroactive. That’s after the breach. We need to spend more time on the front.”

Discover more articles and videos now on Federal News Network’s Cyber Leaders Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.