Software development and DevSecOps pipelines are popular targets for hackers. They can be better protected using the NIST framework.
“The way software is developed is constantly changing, with new methods increasing the efficiency of the development process. Software architecture is also evolving so that much of the software can be built from reusable standard components,” said Tom Molden, CIO Global Executive Engagement at Tanium.
Adapt control systems for software
“Think of it like building a prefab home, where the standard parts can be built in a factory with far greater efficiency and quality, while the truly valuable and customized parts of the home are left to the builder or on-site craftsman. As the world of software development changes rapidly, the opportunities for security risks multiply, meaning the control systems designed to help companies protect the software they develop and deploy must also adapt.
Constant Integration and Constant Deployment (the new processes introduced into cloud native development) push progress to a level where humans can no longer keep up. Even the best application security engineer couldn't keep up with something that's constantly changing.
NIST – equal protection for everyone involved
As lengthy as they are, the NIST frameworks are useful in that they take a very comprehensive approach to security controls - they think things through thoroughly and present a lot of detailed information. Another way to look at it is that they did the work for you - a gift horse, so to speak. A frame of reference like NIST, so widely used around the world, means that all actors involved in protecting the environment read the same sheet of music.
All types of security controls typically involve some level of manual component. At some point, a cyber analyst or operator has to look at something and make a judgment call. The implication of CI/CD is a higher level of automation in the software development process, and the challenge is usually how to cover those steps in the automation that are normally carried out by a human.
Various NIST frameworks
It will likely be very difficult to continue to support both cloud-native and legacy software development in the future. The evolution of the cloud has forced standardization and enabled efficiencies not typically found in the world of legacy development. Legacy software development occurs in so many different environments and in so many different ways that it's hard to imagine retooling. If I had a euro to spare, I would invest it in faster development towards cloud and devsecops instead of trying to fix something retroactively.
There are many different types of NIST frameworks, and it is helpful to understand how they work together. I think a leadership-level presentation of key findings from the NIST control environment would be useful – to show how this new framework relates to others.”
More at Tanium.com
About Tanium Tanium, the industry's only Converged Endpoint Management (XEM) provider, is leading the paradigm shift in traditional approaches to managing complex security and technology environments. Only Tanium protects every team, endpoint, and workflow from cyber threats by integrating IT, compliance, security, and risk into a single platform. The Tanium platform provides comprehensive visibility across all devices, a unified set of controls, and a common taxonomy.
Matching articles on the topic