The Three Pillars of Unified Risk Management for Product Security

Many organizations have a missing link in their approach to product security. This missing link introduces risks that threaten business value creation. In today’s threat landscape, security requires a holistic approach involving both software and hardware aspects — an approach that is missing in many organizations. Unfortunately, this leads to product vulnerabilities and weak product security, which requires post-deployment fixes and managing reputational damage, all of which reduce business value.

It’s not that security teams are unaware or ignorant but, rather, the software and hardware activities are not merged in a way that effectively balances security with speed. A unified risk management approach built on three key pillars — secure coding, secure testing and risk assessment — can help strengthen product security across the enterprise. Organizations want to move quickly, get their products and services to market and be secure. Building this approach ahead of time by design helps mitigate security risks caused by product vulnerabilities.

Bringing Software Security to Hardware

Software security traditionally focuses on the layers that sit above the operating system, such as mobile and cloud applications. But with the proliferation of internet of things devices and the integration, in many cases, of information technology and operational technology environments (such as industrial control systems used in critical infrastructure), the software layer extends into the hardware layer.

Attackers are, in fact, trying to penetrate the hardware layer to bypass all the security controls in place at higher levels. For example, attackers can find devices with insecure firmware code, thus making it possible to gain access into a system and exfiltrate data or cause other damage. Hardware, in many ways, is its own domain, but by bringing a software security approach to the firmware programmed into the hardware, organizations can start to contribute to bringing hardware into the picture, unifying their risk assessments and strengthening security from the ground up.

It’s with this approach in mind that standards groups such as the Institute of Electrical and Electronics Engineers (IEEE) no longer talk just about software development but systems development, which brings firmware and IoT into the discussions. At the organizational level, chief information security officers, typically focused on information security, are now working hand-in-hand with chief product security officers, who concentrate on hardware and firmware. As a result, layers that have traditionally been segregated are now being integrated.

Unifying Risk Assessments

A key to implementing unified risk management is attaching it to business value. No matter the business operation, you’re going to bump up against vulnerabilities, attack vectors and other situations that call for security risk remediation. But security teams can’t do everything in a quickly evolving infrastructure, so risks need to be prioritized. And that priority mechanism is driven by a risk threshold that comes from the business.

Organizations need to look at automating processes as much as possible while also repurposing the workflows and tools they have, such as code scanners and threat modeling techniques. Programmers are guided on integrating security as part of their DevOps processes and maintain that throughout the continuous integration, continuous delivery (CI/CD) pipeline.

Business value in today’s computing landscape largely depends on two factors: risk and speed. By combining the pillars of coding, testing and risk assessments, organizations can create a common set of controls to streamline risk assessments and remediations across the infrastructure while at the same time allowing software development and deployment to keep moving quickly. This approach allows security to be baked into product development from the start, mitigating risk and driving business value.