Anne Neuberger, the deputy national security advisor for cyber and emerging technology, says the order will be like the National Transportation Safety Board, or NTSB, for cyber. “What can we learn with regard to how we get advance warning of such incidents,” she recently told reporters. She also notes that this executive order will be a starting point that should eventually trickle down to the consumer market as well. “If we start incentivizing security, then companies, [and] the market will then inherently prioritize it because more people will buy the product,” she says.
From my perspective, I am happy that this topic is finally coming full circle. In 2013, Chris Wysopal addressed this very topic in a keynote at RVASec where he discussed “The Future of Government Sharing.”
In fact, Chris started creating awareness with the federal government 23 years ago when he and some colleagues from hacker thinktank the L0pht testified to Congress in efforts to expose the risks and threats of cybersecurity. Eight years later, I joined Chris when he launched Veracode to actually start solving the critical problem of software security – together we focused on helping developers and security teams on not just finding but also fixing vulnerabilities in their software (developed in-house, open source or third-party purchased).
Just last month on International Women’s Day, I sat down with The New York Times cybersecurity reporter Nicole Perlroth and OWASP board member Vandana Verma to discuss this topic at an RSA Conference Podcast – sharing that Veracode’s recent research revealed that 66 percent of applications fail to meet the OWASP Top 10 standards, meaning they have a major vulnerability. This highlights that there is work to be done and we must embed security testing into the software development lifecycle so, as developers write code, they write securely. In that discussion, Perlroth said, “We can’t be trying to band-aid on these fixes after vulnerable code has already made its way to users, but also into critical infrastructure … We need to think about security and security design from the start. We have to start bringing in security engineers from the very beginning.”
Part of making software more secure involves integrating security into the software development lifecycle and training developers. We should not expect secure code if we haven’t established clarity on what good looks like, equipped developers with the right guidance, the right knowledge, and the right tools.
The executive order has been a long time coming, and I hope it establishes what the right expectations and accountability should be. We must put structure and standardization around cyber and software security, and there are a number of great examples on how this has been done successfully. One of our customers, an educational software vendor, joined the Veracode Verified program in order to provide evidence of its security processes and be eligible to do business with the New York public school system. In other words, the buyer held the software developer accountable for demonstrating a secure software development process and through third-party testing, such as with the Veracode Verified program, they were able to do that.
Given the continued impact from breaches to the federal government and companies, it is time we address the issue with focus and vigor. We must establish a common standard for cybersecurity that addresses one of the primary root causes of breaches – vulnerabilities in software. As we live, work, and play in a digital world more and more, it is an imperative to do so, finally.