Security Compass: building secure software is only the beginning

Security Compass was started in 2004 by Nish Bhalla to address a specific problem: creating secure software. “I was lucky enough to be employee number two” Rohit Sethi, CEO at Security Compass, said to us. Over the years, through deep relationships with customers, the company learned that its solutions could help solve bigger and more complex problems in the application security space. Now, the main platform, SD Elements, is the go-to solution for organizations struggling with developing their software in a way that is both secure and timely.

Prior to Security Compass, Rohit graduated with a computer science degree in what was possibly the only era where that degree was not in high demand: the dot com collapse. “I was passionate about building things but my career options were limited at the time. The timing coincided with high-profile accounting scandals that led to the passing of the Sarbanes-Oxley act in the U.S. The law forced companies to focus on their internal controls around areas like accounting and IT risk management. This in turn created a lift in demand that consultancies were eager to fill. Eager to retain some of what I learned in school, I found there was a nascent specialty called “application security” that brought information security principles to software development. I am happy to say this has been my career path for the last 16 years”.

A dense jungle

Security Compass’s flagship product, SD Elements, is designed to provide a comprehensive approach to application security and compliance for DevSecOps. SD Elements automates application security requirements and threat modelling to deliver a holistic solution for business, security and risk & compliance stakeholders. “By helping organizations shift security left, building security requirements into the software development lifecycle from the start, we empower organizations to make software secure” the CEO continues.

“Our platform not only helps teams build security into their applications and manage security requirements across the SDLC, but it also creates an auditable record of security and compliance being embedded into software. Cybersecurity laws like NIST 800-53 and NY DFS require companies not only to follow secure development procedures, but also be able to prove compliance. SD Elements makes this easy. If a company is hit with an audit or even a data breach, CIOs and CISOs can prove that the company was following best practices to integrate security in”.

“We additionally offer modular, role-based eLearning that covers a variety of topics in secure software development. We have partnered with ISC2 to allow development teams to obtain recognized credentials in software security”.

How can automation act as a concrete innovation for enterprise security?

“If organizations really want to achieve their goals, they need to balance the business needs of going faster with the goals of risk management. Doing this effectively, at scale, requires automation. Large parts of what security organizations do manually today can be automated. For example, defining a list of well known “threats” in software design doesn’t necessarily require manual analysis; we already know that many technologies, features and programming languages are susceptible to well-known software security weaknesses and their corresponding countermeasures. It is possible to automate linking the technical attributes of software to intrinsic threats and countermeasures”.

Embracing automation doesn’t need to be expensive. While robust commercial tools aren’t free, the Total Cost of Ownership (TCO) is substantially cheaper than the alternative of hiring more security professionals to do manual work, having developers spend precious engineering cycles on security defects along with the opportunity cost of the features they did not ship as a result, or the cost and distraction of dealing with regulators and lawsuits when the organization did not follow industry accepted best practices like threat modeling in the event of an audit or breach.

What is The Modern Day Approach to Threat Modeling?

In recent years, the proliferation of DevSecOps has shone a light on the over-dependence of security testing as a substitute to engineering secure systems. More analysts, security professionals, and even regulators have started to put greater emphasis on security-by-design. “For example, the recent Executive Order by President Biden in the United States resulted in greater emphasis on software supply chain security. The corresponding guidance from NIST specifically calls out threat modeling as a best practice – which (shockingly) is one of the first times threat modeling will be required for software outside of a few heavily regulated industries”.

“Despite the rush to embrace threat modeling, many organizations are using it the same way Microsoft documented it 17 years ago. They have not evolved the practice of threat modeling. Threat modeling in 2004 was designed primarily for waterfall development of desktop and server software”.

It involved training software developers to “think link an attacker“, create diagrams of running processes with “trust boundaries“, and build “attack trees” that enumerate the potential ways somebody can attack a system along with the corresponding defensive controls that could thwart such an attack. This is how many organizations continue to perform threat modeling. “Unfortunately, this approach requires a scarce resource that doesn’t scale: security expertise”.

What innovations are you focusing on for the future?

“We are very excited about our continued innovation into the future. We will help bridge organizations currently adopting legacy threat modeling approaches to a more modern developer-centric approach. We will help organizations understand the security controls of their entire software stack, minimizing the impact to software developers. We will also double down on ways to improve the experience and education for software development teams directly”.

Security Compass is made up of industry professionals who want to achieve the mission of helping organizations manage their cybersecurity risk, without slowing down their operations. Including Rohit Sethi, the other executive are: David Rea, Chief Financial Officer and Chief Operating Officer; Bruce Warren, Chief Marketing Officer; Michelle Brookes, Chief People & Culture Officer; Trevor Young, Chief Product Officer; Rob Bentley, Chief Revenue Officer; Ehsan Foroughi, Chief Technology.

A consolidation of DevOps technologies

The pace of adoption of DevSecOps technologies has been staggering. These days, we hardly encounter any enterprise that hasn’t at least piloted a DevSecOps program. “Despite the proliferation, I believe we are still in the early days. New innovative technologies are emerging regularly, which means we are still a ways away from broad industry consolidation. We are, however, starting to see a clear emergency of market leaders when it comes to customer demands for integrations and content, such as Jira for ticketing, Terraform for infrastructure as code, Kubernetes for container management, etc. Generally speaking, the challenges we see in organizations adopting DevSecOps have more to do with people and process than they do technology. Finding the requisite skills is challenging. Getting teams that have traditionally operated silos to work collaboratively changes the power dynamic at organizations, which is a much more challenging problem than most people realize before they endeavor to start a DevSecOps program”.

How has the pandemic created, if at all, a corporate culture towards cyber prevention? 

“The pandemic accelerated trends that were present before 2020. In particular, the concept of a “trusted” internal network has largely been supplanted by a zero-trust architecture and the widespread adoption of cloud infrastructure and SAAS products. This has fundamentally changed the nature of cybersecurity, where there is no longer a “perimeter” to protect our infrastructures from external attacks. As a result, there is a widespread acknowledgement that we need to build and provision secure technologies from the start, which has certainly increased the focus on DevSecOps”.

Which companies are best prepared to meet the challenges to systems posed by remote  working and the disappearance of physical office space?

“It’s hard to imagine a company that hasn’t already had to deal with this challenge. While there are several organizations, such as some critical infrastructure providers, that may have never had to support remote work, most had to deal with it head on over the past two years. Some organizations have used it as an opportunity to leap to competitive advantage: they have invested in digital transformations that are built by-design for a decentralized workforce”.

“They have re-imagined the concept of organizational boundaries and have embraced security as a first-order concern rather than an after-thought. These organizations have, for example, adopted web-based enterprise Single Sign On with multi-factor authentication. Other organizations have tried to maintain their centralized networks protected by VPN and other controls to replicate the in-office environment and may unfortunately suffer from decreased productivity and engagement from their employees”.