Ask a dozen CISOs for a definition of secure engineering and chances are you will get back a dozen variations on providing assurance and integrity of the software delivery supply chain. While that’s true as far as it goes, my problem with it is that it doesn’t go far enough.
I propose that the secure engineering supply chain extends to the Production servers of whoever uses the software to run their business. From this perspective, Independent Software Vendors (ISVs) may need to rethink the division of labor between themselves and their customers when it comes to implementing security, and take on a larger portion of that effort.
You Aren’t in Just One Business
My argument is that an ISV is never just in the software business. Consider the Hannaford supermarkets breach of 2008, which was notable both for the size of the breach and as the first publicly reported breach of data in transit. Although IBM’s WebSphere MQ was never implicated in the breach by any of the investigating security firms, a reporter connected the dots of what was known – Hannaford had misconfiguration issues and Hannaford used IBM MQ to move data. Suddenly IBM’s unsexy bulk data transport that had been virtually unknown outside specialist circles was in the spotlight, and IBM’s software division found itself in the grocery business as far as public perception was concerned.
As an ISV, what businesses might your company suddenly find itself in after a high-profile breach? If the company’s reputation rests in part on how successfully customers secure the software they buy from you, then it’s in your interest to think of your software delivery supply chain as extending past the sale and all the way to your customers’ Production servers.
If this approach is new, then how much of the (Read more...)
This is a Security Bloggers Network syndicated blog post authored by T.Rob Wyatt. Read the original post at: Cylance Blog