Reducing risk and improving security can be accomplished when software developers treat security issues with the same level of importance as quality issues. Success comes when you achieve the right balance between incorporating new tools, technology, automation and processes.
Quartz Network Executive Correspondent Britt Erler sat down with Meera Rao, Senior Director of Product Management for Synopsis to draw upon her 14 years of industry experience. Meera has been actively supporting her customers with their digital transformation efforts as it relates to software security.
Meera shares ways to:
- Ensure you can manage or scale digital innovation across the enterprise
- Treat security issues with the same level of importance as quality issues
- Find the right balance of people, process, and technology
- Create a culture where the dev team, the operations team, and the security team work together
- Continuously provide 4 key metrics to your CISO to show value and gain support
Quartz Network: Let’s begin with some context about your background and your current role with Synopsis.
Meera Rao: I’ve been working with Synopsis for 14 years now as a Senior Director. I started with different roles. I was part of the Consulting Group of Synopsis, so I was working with a lot of customers, doing architecture, risk analysis, threat modeling. Then, as soon as DevOps and DevSecOps came into the limelight, I started digging deep into those. I had prior experience of CICD and DevOps, so that was the other things that I started working on. So now, over the past 6 years, I’ve been working with all of my customers focusing on helping them build DevOps solutions in their enterprises.
Synopsis is a recognized leader in static analysis, software composition analysis, and in application security testing. With the combination of industry leading tools, services, and consulting, I think we provide customers both security as well as quality in DevSecOps throughout their SDLC.
Quartz Network: How can CISOs better partner with Software Developers or others that are responsible for a digital transformation in this era of increased technology?
Meera Rao: One of the key things that I have been seeing, especially with all the digital transformation and innovation over the past few years, is how they transformed building the applications.
Initially, it was these monolithic web applications, then came the N-tier applications, then they moved to micro services. As they were moving this, they also changed their business processes from waterfall to agile to DevOps, and then now with SRE and GitOps. You name a keyword; I think organizations have started using that.
No matter what application are you building or what business process you’re following, software security has become a business necessity. When I talk to most of the organizations within the US or around the world, I see six key things. The very first thing CISOs can do to become better partners for software developers is to make sure that any technology, tool, or processes they bring in needs to be developer friendly.
CISOs can look at whether the software testing tool they are bringing in integrates natively with the tools that the developers are using. Check if your developers actually trust the results. Trust is the key thing.
Once they trust the results, see if they able to get the results while they are able to fix. If the developer has already passed that change, and then you give the results to them, that’s going to cause a huge problem. The first thing they can do is ask, “Am I developer friendly?”
The next thing is, “Am I DevOps enabled?” Consider whether it’s building automation, gathering all of the metrics or supporting all the tools for DevOps, such as whether it is your bill or CI systems. Look at whether it is the developers IDE, or whether it is the source repositories that the developers use. Consider if the tool and technology that you’re bringing in natively integrates with that.
The next thing is ease of use. How easy it is for the developers to use these tools and technologies, so that they can push the code to production at the speed that they want. Because at the end of the day, the goal of all organizations is to provide those features to the customers. So I think the ease of use and how you are able to customize is key.
The final consideration is, “Am I able to manage or scale this across the enterprise?” When you see digital innovation, when you see the transformation that is going through an organization, am I able to scale it through my enterprise? I think that’s also something that is key for a CIO or a CISO to be able to look at and see, and then support the developers.
Quartz Network: On the flip side of that, how can software developers better partner with CISOs to ensure that that happens?
Meera Rao: One of the key things – having been in this industry for 14 years now and across the world – is developers not treating security issues with the same level of importance as quality issues. So this DevOps and GitOps, SRE, whatever business process you use within your organization enables you to release features and bug fixes so fast like we never saw before.
Automation is key—we all know that. But when you automate all these tools within your build systems, it finds a lot of security issues. One of the challenges I saw was developers not even looking at those security issues. In order to make sure that your CISO is able to use you as a developer, be a better partner to your CISO to ensure you’re treated with the same level of importance.
Then show continuous improvement. They would have spent thousands of dollars, in some cases, even millions of dollars building this training program for the developers, making sure that they have either e-learning or instructor led trainings. There’s no way to find and fix all the issues. But for the issues that are critical or high, make sure you fix that and improve over time, and show that to your CISO.
The next thing I’ve been seeing is talk about shift left. When we see shift left, a lot of the developers are like, “Why do I need to do all these other activities at the end of the SDLC?” The goal is shift left doesn’t mean that all the other activities that you do in your entire SDLC can just be eliminated.
There has to be continuous security, whether you’re doing certain activities. In the beginning, when you have your code. You do certain activities at the center. When you have an application which is deployed. As soon as it’s ready to go to production, you have your running environment. You do certain other activities, so there needs to be continuous security. Make sure that you show that.
Last but not least, you need to provide continuous metrics to your CISO. Some of the key things that they need to talk about is they need to see the visibility. Without metrics, you cannot communicate anything—such as the dollars spent and the value. All of the CIOs and CISOs need that data driven answers.
So four key areas of metrics that I usually talk to my customers.
1. Defect discovery: How effectively are you finding all the defects?
2. Policy: Most customers that we work with have to satisfy some compliance requirements, such as industry standards or PCI. So how effectively are you complying for those standards and requirements? Show that to you CISO.
3. Risk reduction: How have you reduced the risk by spending so much dollars? Are you fixing it? Are you finding it early? Show that metric to your CISO.
4. Risk prevention: How effectively are you preventing this? With COVID, we can talk about that very well now. How are we preventing the spread of COVID? You have some measures that you need to take.
Those are all great examples of how software developers can be key partners for their CISOs. If you’re spending too much time fixing all the bugs, if nothing is going to production, you’re not releasing new software and you’re not providing the value to your end customers, then the business is not going to make money. So you need to look at the risk, whether it’s the business risk or technical risk, and decide, what do I fix? What do I not fix? Then, show that value to your upper management.
Quartz Network: With all of the relationships between departments, specifically between security teams and developers, there are certain challenges and friction. What are some of the tools that have been really helpful for you in this process?
Meera Rao: Whether you’re doing DevSecOps, whether you’re doing GitOps, or whether you’re following any other business process, one of the key challenges that I have seen in the industry is a lot of these organizations are just going and acquiring a tool and declaring victory. That’s not going to work.
You need to have the right tools in place, agreed. But then, you also need to have the right process and then the right people. If you don’t have that, just by having a tool, nothing is going to work well, right.
You need to have people for configuring the tool the right way that it needs to run. It’s all about finding the right balance of people, process, and technology.
In most organizations that I have worked with, they have this requirement that anytime you find a critical issue, whether through tools, or any manual activity that you do, you have to fix that critical issue within seven days. If not, you cannot push your code to production or you cannot release the code.
Most organizations would have decided to go to production. Someone sitting somewhere in the world, who is responsible to look at those thresholds comes and says, “Oh, there is a gate. I’m not going to allow you to go to production.” There is a lot of back and forth, and then a lot of heated arguments.
You can just stop all of this. Bring all of that together where you build this culture of automation. You bring all the processes also, because now you’re able to look at this policy that you have that you cannot go to production if you have a defect, which has crossed the threshold of seven days.
If you have that process in place, and if you can automate all of that, and you have the right people, then that is going to help the organization in the digital transformation, as well as in the innovation. So having those tools, processes, and the people will help you to build that culture.
I think everyone has forgotten about that culture piece. They only look at the tool, they only look at the process. So bring together that culture where the dev team, the operations team, the security team work together. I haven’t seen that in many organizations. When when I talk to them about all of that, they come back and say, “We have a new DevOps team.” I respond, “No, the goal of all of this is to build that culture where all of you work together.”
Quartz Network: What do you believe is the first step?
Meera Rao: I think the first step is to break down the silos. One of the challenges that we have seen over and over again is security, or whatever they call SSG. Information security is always a separate entity in all of the organizations. They only provide this feedback to developers when they see security issues which are identified.
So having this collaborative approach, where the development team works collaboratively with the security team, and then both of them together work with the operations on how to fix certain issues in the cloud or network.
The second thing is bringing this collaborative change. The entire organization needs to look at that. It’s not just the development team or the operations team. So, if you have some key aspects of maintaining this productivity go-to-market, make sure that you build this collaborative change across all teams. Again, it’s not just these three—development, operations, and security. There is your compliance team, your auditing team, a requirements team, and a QA team. So that’s a huge thing.
The next one is actually building those security champions.
Last but not least, one of the key things is for us in the security industry is let developers be developers. Yes, we need to train them, and they need to understand. But asking them to completely learn each tool that we use, each and every technology that we use for finding security issues is not going to work. Make sure whatever tools, technologies and processes seamlessly fit into their solution and their processes. I think that will help us bridge the gap, and then break down all these silos.
Quartz Network: How do open-source risks play into the conversation?
Meera Rao: I think that’s huge. Especially in this day and age, any application contains almost 90% open-source components. Many are really cracked, and it becomes the prime target for all the hackers. We have seen exploits every single day. The key here is to manage these. How do I track the open source from development all the way when it goes to production? What do I need to do that? How do I do that?
The key here is, especially when a customer talks to me and says, “We are following the DevSecOps practices,” that means you know how to automate. So with open source, there are tools like software composition analysis tools. Synopsis has a tool called Black Duck, which is able to manage all the open-source security issues or the licensing issues, all the compliance service that you have. You can actually automate this in your pipeline. Then, it can provide the continuous feedback for your developers, whether they are developing in the IDE or whether they are running it in their build system. It can provide that feedback when it sees some issues with these open-source components.
For more industry best practices and insights from leading IT executives like Meera, join Quartz Network.