What developers need to know about the impact of compliance frameworks on software development
DeepFactor’s all-new Compliance Module helps developers identify when vulnerabilities and security risks compromise compliance goals
For today’s digital businesses, protecting customer data must be a top priority. However, as product teams focus on optimization, personalization, and user experience, many companies are not prepared with the right strategy and execution plan to ensure the security and privacy of customer data. . This can jeopardize business operations; lead to severe fines and penalties; and, above all, undermine customer trust and loyalty.
Fortunately, businesses can prioritize data security by following a number of compliance and regulatory frameworks, such as PCI DSS, SOC 2, and GDPR. These regulatory requirements ensure that an organization complies with minimum industry-specific security requirements to protect customer data, ensure confidentiality, and maintain efficiency.
For many IT organizations, successfully meeting and maintaining compliance requirements remains a top priority, with CIOs hoping to anchor the corporate culture with good cybersecurity and data management practices to ensure application security risks are addressed. discovered before going into production.
Compliance vs security
For maximum protection, businesses should understand that compliance is not the same as security, however, security is a BIG part of compliance! While compliance focuses on meeting external / third-party regulatory requirements (frameworks) to ensure the protection of data collected and managed by the business, security is a set of technical systems, tools and processes used to protect and advocate for information and technology. assets of a business. Put simply, becoming secure and compliant means securing information assets, preventing damage, protecting them and detecting security incidents. These are the fundamentals of cybersecurity teams as they strive to implement technical frameworks and achieve compliance.
The next chapter in compliance
However, with cloud-native development accelerating the frequency and complexity of application releases, regulators, auditors and businesses are quickly realizing that there is a new area of interest in compliance: application security.
According to Verizon’s 2021 Data Breach Investigations Report, web applications account for over 80% of data breaches, with hackers abusing complex applications and complicated supply chains to gain access to vulnerable systems. In the IBM Security Cost of a Data Breach Report 2021, conducted by the Ponemon Institute, the average total cost of a data breach in the United States is $ 9.05 million, of which 38% is attributed to “l ‘increased customer turnover, lost revenue due to system downtime and increased cost of acquiring new business due to bad reputation.
It is for this reason that many regulators and industry standards bodies introduce requirements related to application development practices. For example, SOC 2 and PCI DSS now require some variations of the following:
- That organizations “develop applications based on secure coding guidelines” and prevent coding vulnerabilities such as injection faults, buffer overflows, incorrect error handling, and cross-site scripting.
- That organizations perform timely software patches for all operating systems, container images, applications, and deployed firmware, especially those with vulnerabilities.
- That organizations implement cryptographic key management controls to protect the confidentiality, integrity, and availability of credentials.
DevSec – “Compliance” -Ops
Given the impact that complex environments and applications can have on compliance, many organizations are implementing initiatives, such as DevSecOps, to encourage developers to identify and remediate vulnerabilities and configuration issues early on. software development lifecycle (SDLC). With breaches averaging 287 undiscovered days (IBM), ensuring security at every stage of SDLC means software can be delivered and released faster while reducing the impact on compliance goals.
Unfortunately, understanding the relationship between application security and compliance risks can be extremely difficult for developers. Many regulatory requirements have deceptive and confusing guidelines, and there is no authoritative source on industry best practices. For example, just reading the sample framework requirements above would lead the average developer to many questions:
What are “Secure Encoding Guidelines” and who sets / enforces them?
What is considered “timely” and how do we prioritize the vulnerable components to upgrade? How do we ensure the “confidentiality, integrity and availability of credentials?” “
And especially …
How does this impact our organization’s compliance goals… and what can I do about it?
Click on the link below to register for the associated webinar:
“What developers need to know about the impact of compliance frameworks on software development ‘
DeepFactor presents a compliance module
Last May, President Biden’s Executive Order on Improving the Nation’s Cyber Security (May 2021) underscored the value of SBOMs by reinforcing the importance of providing developers with “a formal record containing the details and relationships of the supply chain of the various components used in the creation of software. [to allow] the manufacturer to ensure that these components are up to date and to react quickly to new vulnerabilities. For this reason, last June we released our Runtime Software Bill of Materials (SBOM) module to help developers catalog software dependencies, including open source and third-party, and operating system packages used by the application ; as well as licensing information and runtime metrics such as processes, ports, files, and network connections.
Understanding your application’s supply chain is an important “first step” for any compliance framework. However, as explained previously, we knew that developers and engineering teams needed even more information to ensure that their applications and infrastructure met business requirements and compliance goals. So, just before the holidays, we released DeepFactor 2.1 and introduced our brand new compliance module.
This module helps developers assess the compliance status of applications by mapping our alerts (system call risks, behavior violations, and vulnerabilities) to the Secure Control Framework (SCF). The following excerpt from the SCF home page explains the framework in more detail:
“The (SCF) is a comprehensive catalog of controls designed to enable organizations to design, create and maintain secure processes, systems and applications. By analyzing these thousands of requirements, we have identified common points and this allows several thousand unique controls to be addressed by the less than 750 orders that make up the SCF. This allows a well-formulated SCF command to meet several requirements. This emphasis on simplicity and durability is the key to SCF, as it can allow different teams to speak the same control language, even though they may have totally different statutory, regulatory or contractual obligations towards which they are working.
With this insight, developers now understand the impact application security can have on their organization’s compliance goals. For example, DeepFactor can alert when environment variables are detected containing potentially sensitive information such as user IDs, passwords, credentials, secrets, etc. According to the SCF, this would violate the following SCF control:
|Cryptographic key management||Mechanisms exist to facilitate cryptographic key management controls in order to protect the confidentiality, integrity and availability of keys.|
DeepFactor’s new compliance module can:
- Alert developers at every occurrence when applications violate this SCF control
- Identify compliance frameworks threatened by the violation (s)
- Provide guidance to developers on remediation and education.
See below for an example: When sensitive information is discovered in the application environment variable, DeepFactor alerts the developer of the compliance risk:
Secure configuration – PCI DSS v3.2 (3.5-3.5.4, 3.6-3.6.8) / SOC 2 Type 2 (CC6.1)
Armed with this information, development teams now have better visibility and a better understanding of the potential impact of system call risks, behavior violations and vulnerabilities!
Help your developers write compliant code
With applications released faster than ever, many organizations are struggling to manage vulnerability and security risks through SDLC, especially the impact on top-down initiatives such as compliance. DeepFactor integrates with existing developer toolchains to provide application-aware security insights with detailed insight into application behavior, system calls, and stack traces that help identify vulnerable code. This information is used to simplify and accelerate adoption of DevSecOps by enabling engineering teams to develop secure cloud native applications based on industry standard compliance frameworks.
Check out our release notes for more information on our latest releases. And if you want to learn more about the new DeepFactor module and see it in action, join our webinar, “What Developers Need to Know About the Impact of Compliance Frameworks on Software Development” on Tuesday, January 25, at 2 p.m. ET / 11 a.m. PT.
*** This is a Security Bloggers Network syndicated blog from the DeepFactor Continuous Observability Blog, written by Andrew Horrigan. Read the original post at: https://www.deepfactor.io/blog/what-developers-need-to-know-about-the-impact-of-compliance-frameworks-on-software-development