“Organizations have to focus on smart security”
We’ve had a lot of questions about the state of organizational security lately. Brian Fox addressed our questions and concerns about making sure security and development go hand in hand. What cultural shifts need to happen to ensure that security is baked into every facet?
JAXenter: What is the current state of security, and how can we create change to ensure that more organizations focus on preventing vulnerabilities?
Brian Fox: We’re really at a critical inflection point, and I mean that internationally, not just for the U.S. We recently found in our 2021 State of the Software Supply Chain Report (SSCR), that software supply chain attacks have increased 650% in the last year. As we know, there are only so many security professionals in the world to combat that increase, and there’s an incredible shortage of those folks as well. Bad actors have leveraged the foundational technology we use to build our software ecosystem: whether that be OS, or the development environment itself. Our faulty solution has been largely to fold security further and further left into the scope of developer’s roles — putting even more pressure on them to be “experts of everything.” Clearly that’s not the set of conditions we need for careful execution and creative solutions. So to start, businesses need to move the onus of responsible software development from individual contributors to the board level. Shifting that objective to the highest levels makes it a core business KPI instead of an individual’s extra load.
JAXenter: Are companies struggling to choose the correct security components, leaving their organizations open to potential attack?
Brian Fox: Absolutely, yes. Developers are struggling to choose the right components in their code: it’s something we hear about all the time. In the report I mentioned above, we found that 69% of developers’ dependency management decisions are suboptimal. The issue isn’t that there’s a lack of education around choosing the right components, it’s that choosing quality code takes time and rigorous standardization. That is simply something developers these days don’t have the time and resources to do with how overburdened they already are in their roles. Companies have to implement smart systems that take the guesswork and manual labor out of component selection, and most importantly, off the developer’s plate.
JAXenter: Obviously, software security affects all aspects of an organization. If organizations focus on security, what are some positive side effects they can anticipate?
Brian Fox: The caveat here is that organizations have to focus on smart security. That means forsaking the traditional “dev vs. security” binary and focusing on true team and workflow integration all the way to the top. When that’s done right, developers can focus on functionality instead of bug fixes, and organizations can save thousands in time recouped from inefficient communication and processes. It also makes organizations more appealing to potential customers, because they know they can trust their data – and therefore their daily operations – with your team.
JAXenter: In 2020 and 2021, cloud adoption saw a large increase. What should companies that are new to cloud computing know about cloud security and potential security breaches?
Brian Fox: I have to emphasize cyber hygiene here. Whenever an organization takes on a new frontier, it’s easy to prioritize the business wins before the backend-rigor needed to sustain that growth. If your organization shifted towards the cloud in the last year or so, it might be that you’re trying to find a faster, cheaper, or more competitive option for your business. While that makes sense, as a business leader myself I know that that gain is only as sustainable as its functionality, and function cannot exist without a constant eye on security.
JAXenter: Security should be at the forefront of decisions, and as we have seen with the recent SolarWinds and Kaseya hack, it can have a ripple effect of consequences. Despite this, organizations are still putting important security tasks on the back burner. What would you say to a decision-maker who is currently ignoring security concerns in their workflow?
Brian Fox: I would refer back to our discussion on the cloud adoption front. No business gain is safe if it could be down tomorrow, and business leaders have to start thinking that way. However, business leaders are still operating as if their perimeters are unquestionably safe: despite the fact that our entire business ecosystem is inextricably tied together. There are far fewer than “6 degrees of software separation” between us, and we know that your software supply chain is only as secure as someone else’s.
Look back to the Equifax breach, I’m sure at least one business leader there thought things were business as usual and IT was asking for too much when it would bring up security. Well, we know what happened and the human cost, as well as the reputational cost, that breach had. I’d ask any business leader if they’ve prepared for that result, and if not when are they going to start?
And if that’s not enough to convince someone, I would refer back to what we found in this year’s SSCR: that by implementing improved and automated update processes, they could save 8 days per development team per year, 160 developer days a year, and $192,000 annually in time saved.
JAXenter: What cultural shifts need to happen before security is baked into every facet?
Brian Fox: It truly has to be a board-level priority. I don’t just think it’s individual business leaders who need to be thinking of cyber hygiene as a KPI for broader success: I think it needs to go all the way to the top. At Sonatype we’re seeing more “Chief Software Development Officer” titles come up, and as someone managing the role of a CSDO on top of my regular work as CTO, I think every company operating in our modern software ecosystem should have one. Having a high-ranking member of the executive team whose job it is to think about how our software is made, how it could be improved, and where our weakest points are will be essential to proactively avoiding vulnerabilities before they become the next headline.
JAXenter: With your background as a co-founder, developer, and CTO, what is some advice you can give based on your experience? What are some security lessons you have learned along the way?
Brian Fox: That we need the subject matter experts in the chair. For too long we’ve tried to solve all these problems of technology with the same business leaders that manage our share prices and blue-sky trajectory. As the pain points of managing technology grew, we retroactively added CIOs, CTOs, and CISOs. But that has still left us with this massive issue of old and new code vulnerabilities baked into our system. We can’t continue to message security as a priority while conveying its actions through ten layers of executive “Telephone” — we have to commit to prioritizing security and development in tandem at the board level.