Embracing the Challenge of Surfacing Vulnerabilities without Sacrificing Developer Productivity

Alonzo Ellis, Chief Security Officer, CISO, Vanguard

A mature and ever evolving vulnerability management program is critical to protecting an organization’s clients and assets. The pace at which technology is evolving makes this challenging to get right. Rapid innovation has led to complex architectures spanning traditional data-centers and cloud environments and the development community’s demand for flexibility has led to polyglot application programming methodologies and portfolios. CISOs in all industries must have a healthy concern about falling behind in application assurance coverage and ensure that their vulnerability management programs continue to effectively identify and mitigate vulnerabilities. Fortunately, while evolving technology is part of the problem it is equally part of the solution.

In many cases, the traditional identification process is manually intensive and comes in the form of a required review (or as developers would call it – a roadblock or speedbump) prior to elevating to production. Such reviews include security architecture reviews, security code and configuration inspections, and penetration tests. At Vanguard, we embrace the challenge of surfacing vulnerabilities as early as possible without sacrificing developer productivity and deployment speed.

By building assurance into our build pipelines, we shift the identification of vulnerabilities “left”, which enables developers to build security in as well as allowing existing assurance processes to execute in parallel as opposed to required tollgates. Early detection means vulnerabilities are quicker to fix which allows us to prioritize more risk reduction activities while reducing cycle time of delivering business value.

Static Application Security Testing (SAST), Software Composition Analysis (SCA), Container scanning, and Infrastructure-as-code scanning tools are examples of the suite of capabilities inspecting applications in our modern pipelines on every build. By baking security scanning into the development processes, you’re not only able to surface vulnerabilities in real time, but you can immediately stop the most egregious of vulnerabilities from entering production, while empowering teams to prioritize remediation of low risk findings within established SLAs. While the concept of SAST and SCA is not new, today these tools offer much more than a list of vulnerabilities that need to be addressed. Dashboards provided by these tools offer a rich experience for developers and security professionals. They allow you to make risk smart vulnerability remediation prioritization decisions by diving deep into the technical details of a vulnerability and testing its exploitability while offering tips and on-demand training for resolving it. Today developers are not only mitigating a specific risk, they are improving their security acumen.

Security specific tools are not the only technology helping modern vulnerability management programs. Sophisticated reporting tools can improve visibility at all levels of your organization, enabling leaders to hold font-line employees accountable for the risks they are introducing. There are several technology options to ingest, parse, and display data in a way that is understandable and most importantly, actionable. By having this data in a useable format, appropriate guardrails can be set for development teams, and you can make data-driven decisions about when to leverage traditional security testing.

The last point I want to make is that vulnerability management is as much about culture change as it is technology. The insights these technologies offer are invaluable when it comes to increasing the security acumen of your organization. Use this data to pinpoint vulnerability trends, offer targeted training, and celebrate areas of maturity within teams. It is easy to say that security is everyone’s responsibility. Most people in your organization want to do the right thing and as security professionals, we must continue to leverage technology to make achieving this as easy as possible.

Read Also

Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.
Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group