Building and Verifying Security Trust in Today’s Complex Tech Stacks and Hybrid Solution Environments
Software solutions have in many implementations been a combination of custom code, reusable software and services starting with the compiler and the database. Today the technology world has vertically integrated open source, development frameworks, executables and platforms as well as easily connected network and internet based services that can be connected in minutes and often are offered as free. Of course all this openness, choice and connectivity has come with a tradeoff with the growth of cyber attackers and solution complexity that requires increasing security considerations. Companies are also now legally required to protect the data of their users and customers.
A foundation of security is the concept of “trust”. The initial thought of an organization should be if its security is good enough or trustable enough to be considered secure. However this often is done at a requirement level versus verification against what is a measure of secure trust. Having encrypted communication TLS – (transport layer security, e.g. HTTPS) for example, is good but is it at appropriate level of complexity? Is it enforced? Are all communications in your solution encrypted or only the internet facing one as you are trusting by assumption your enterprise and/or Cloud account are trusted? This is just the start of determining what security trust should be considered.
From a security standard an organization should be thinking the following questions: do we trust the security of our software? Do we trust our software partners security? Should our customers trust our security? Security trust should not be given blindly in software although it frequently is. Today’s computer systems are being trusted to securely process and manage financial, healthcare, infrastructure, consumer purchasing, etc transactions and data. The security trust needs to be appropriate as it will be challenged by attackers.
In this presentation the two parts of security trust in software will be discussed the first is the building of trust, the second is verification of trust. Trust verification is a continuous exercise throughout the software solution lifecycle. This is not just that of the software a company has produced but that of the third party software that are its building blocks and the services it interacts with.
Topics of trust that will be discussed are trust boundaries, encryption, certificates, access control, authentication, cyber testing, software lifecycle, reputation assessment, industry standards, isolation, patching, security vulnerability discovery and handling, secure by design/defense in depth, security logging/reporting. A critical part of verifying trust is the detection of attackers trying to gain trust and how to mitigate these types of attacks.
This presentation will also discuss what are the various actors, software, devices and services where trust needs to be built and verified. A corollary to building trust is there will be solutions where software and hardware assets and actors are untrusted or only partially trusted. Techniques and designs to manage these scenarios will also be discussed.