One of the largest changes underway in the way we create software is that cybersecurity is no longer an afterthought, but instead is being built into every application. The challenge many companies face is how to keep up and make sure the software they create is just as safe as the products they buy. That’s what we will cover today.
In a series of recent articles, I’ve been analyzing how companies can best allocate their security portfolio dollars. Just as with an investment portfolio, I’ve argued that you want to make sure you’re getting a return on your investment and that you’re spreading your investments out, so you’re not overexposed in anyone area.
In a series on how companies can create the right security portfolio for their needs, I’ve put forward a five-step approach: 1) Determine Needs, 2) Allocate Spending According to Risk, 3) Design Your Portfolio, 4) Choose the Right Products, and 5) Rebalance as Needed. Those five steps need to address the five core tenets of cybersecurity as identified by the National Institute for Standards and Technology (NIST) framework, which are identification, prevention, detection, response, and recovery. However, how companies allocate their investments in each of these buckets can and should be customized to their individual assets and operations.
To understand the security products on the market that can help companies address these complicated issues, I’ve interviewed numerous experts from leading security solutions companies. For this piece, I spoke with Jeff Williams, the co-founder and CTO of Contrast Security to get a sense of where his company’s products fall into the larger security portfolio. Now that all companies are software companies, Contrast addresses a critical space: ensuring that the software companies develop is secure.
Because Contrast does both vulnerability detection and attack blocking, it achieves prevention, detection, and response. Contrast is a bit like a vaccine for your applications. It works throughout the software lifecycle, during development, testing, and operation, allowing companies to protect their applications from within because the product is embedded within the applications themselves. As Williams told me, this approach emerged from the dilemma companies face when they try to protect their software.
A terrible choice: Innovation or security
“Companies face a terrible choice: either they turn their business into software and they accept the fact that they’re going to have rampant vulnerabilities and breaches or they let their competition win the innovation race. And everyone chooses software,” said Williams. “But as a result, we’re going to have 111 billion new lines of code in 2017. And the problem is that these legacy tools, dynamic analysis tools, static analysis tools and web application firewalls, were invented in the early 2000s. They’re absolutely incapable of scaling to the level of modern software.” This requires an approach that uses automation.
Every business that has been around for more than five years will have legacy software integration challenges, which requires developing new code. Companies are constantly integrating new software platforms with older systems and a cybersecurity platform has to be able to protect all of these assets.