Last week, we had the pleasure of attending SC Congress Toronto 2015, a key event for the North American cybersecurity industry. With our booth as home base, we saw new ideas at the breakout sessions and gained new insights from the information security and technology professionals that visited us (some made a point to see us first when the conference opened). We came in expecting code security to be the frequently asked question, instead we found people opening up more about open source. Perhaps that made us the open source therapists of the conference.
There’s no doubt that within any organization, IT is the most concerned about security. They’re at the front lines of potential attack vectors and in the trenches when analyzing, planning, and executing threat mitigation strategies. However, most IT teams focus on security processes and tools at the edge of the organization, preventing physical breaches and information theft in real-time or using analytics to predict what will happen next. This gave us the opportunity to talk about preventing data theft and system downtimes deep within the organization, right where the vulnerabilities are introduced – the developer codebase.
By describing how Klocwork static code analysis detects security vulnerabilities right at their origin, we were able to add a new piece to the IT security toolkit, in terms of testing, security standards, and process, that better protects organizations against attack. More than a few attendees said this was valuable information to take back to their teams and other groups within the organization.
The big surprise (other than the free pizza and massages being offered on the expo floor) was open source use, or rather the lack of diligence around it. Given our conversations and the generally understood benefits of open source, it seems that IT departments are no less susceptible to unknown, unqualified, and untracked open source packages within their organization. It’s a tough challenge, ranging from policy management to developer enforcement to codebase scanning, and one that OpenLogic was purpose-built to handle. More than any other subject, wrangling order from open source chaos was a significant conversation piece and one that we were uniquely poised to answer.
If we could choose one takeaway that we provided to conference attendees, it would be best summarized by Jeff Hildreth’s presentation on creating code confidence for better security (view on SlideShare). Moving beyond the sales pitch to develop a framework that takes all the various drivers for information security into account (requirements, research, media, etc.) and fits into continuous, adaptable development processes, Jeff summarized the challenges of information security in two statements: the application security world is fluid and delivery cycles are short.
You can do something about these challenges by understanding your organization’s software security landscape (webinar) and visiting roguewave.com.