At Carve we are fortunate to have clients that span across many industries, company sizes, and technology maturity levels. This series of blog posts will discuss an increasingly common theme across our customer base, called "Digital Strategy" or "Digital Transformation", and how this affects an organization's security.
We see the following "Digital Transformation" themes repeating across our customer base:
- Customer access to previously internal-only systems via web applications
- Data analytics to provide insights to customers
- Interconnection with one or more 3rd party systems
- In some cases, driven by outside management consultants
A traditional application security plan is not adequate to manage the risk of most "Digital Transformation" initiatives. These initiatives are often fast moving, incorporate old and new technology together into one application, and involve multiple teams, business units, and outside resources. A penetration test report can be useless in a matter of weeks because of new features or a major engineering decision made in an agile structure.
Two high-level activities help a Digital Transformation balance the needs of the information security organization with the engineering/product organization:
Cultivate a culture of security within the organization and designate "Security Champions" who are accountable for security. These champions are not necessarily security experts, but they are accountable: they're the ones who yell when something bad is happening and advocate for security while the team is making decisions.
Digital Teams need internal security leaders who have the respect of both corporate InfoSec teams and product/engineering teams that support the business.
Shift towards continuous threat modeling and continuous penetration testing. This involves automation and building custom tooling, and the result is that issues are identified earlier in the SDLC when they're easier to fix.
One of the biggest consequences of a Digital Transformation is a changing threat profile. We perform threat modeling exercises with engineering teams to understand and help control the highest impact threats. For example:
- Single-user software backing an Internet-facing shared tenant application
- Multiple legacy systems without a unified concept of "identity" tied together supporting an analytics platform
- Limited functionality from internal systems exposed via a new Internet-facing application
All of these scenarios drastically change the threat profile of the application and we'll cover some of these anonymized case studies in the next blog posts in this series.