In today's rapidly evolving digital landscape, enterprises face an ever-increasing array of security challenges. Traditional security training has long been a staple in safeguarding businesses, providing employees with knowledge of best practices and protocols. Presenting common security threats to employees seems enough, however, these training courses really attract employees ' attention, when you present them with real-world examples.
“In our case, there was a sophisticated phishing attack on our CEO.”
If we weren’t simulating phishing attacks of all sorts, this attack would cause significant financial damage to the company and our reputation. Fortunately, the threat was identified and the crisis was averted. And now, we are using this example as training material for new employees.
Shifting Security Left: Integrating Security in Development
However, the landscape has changed, and simply relying on training is no longer enough to maintain a robust security posture. The need for a holistic approach to security has led organizations to embrace the concept of "shifting security left," which entails integrating security practices early into the software development life cycle.
For us, this means we have developed an internal security program, which covers all phases of the development cycle and also put security as one of the primary focuses of product development.
“We can describe our product security program in four main topics.”
1. Integrating Security in Development
By integrating security practices early into the software development life cycle and defining valuable KPIs with different metrics (e.g. time to patch a production system, number of identified vulnerabilities, …), we were able to ensure secure and compromising development workflow efficiency. So long we have continuously improved our development processes to the point when each of our projects starts with secure defaults; integrated continuous integration (CI), and continuous deployment (CD) pipelines, which of two already include security scanning tools.
Automation through CI/CD system helps us with static and dynamic application security tests (SAST/DAST), static composition analysis (SCA) with automated dependency management, and automated security testing of live environments.
Over time our ways of working can deliver level 3 on the compliance levels for supply chain levels of software artifacts (SLSA) and we are gradually working towards level 4, which should we reach by the end of this year.
2. Building Strong Security Partnerships
Strong security programs are built on a set of stringent security requirements, starting with specialized security training and real-time incident response exercises tailored specifically for developers. Secure software development life cycle (Secure SDLC), rapid risk assessments (RRA), tech/architecture design reviews, and threat modeling are now ingrained in our development process.
Allowing developers to work with security specialists enhances their understanding of the product's security requirements. By using security scorecards, we consistently measure the effectiveness of this part of our product security program across different teams and projects.
3. Proactive and Continuous Vulnerability Management
At 3fs, we take vulnerability management seriously. Continuous vulnerability identification and discovery have been part of our pipeline long before it became a regulatory requirement. Our well-established vulnerability management process enables us to triage, report, and remediate vulnerabilities at different stages of development. With automated vulnerability scanning and efficient CD systems, we are able to respond to security issues in production by creating new releases within minutes.
4. Evangelizing Security Awareness
Recognizing that the most vulnerable aspect of cybersecurity is humans, we prioritize raising security awareness among our employees. Internal capture the flag (CTF) competitions, weekly knowledge-sharing sessions, Community of Practices (CoP), and special events during October security month have been successful in sharing knowledge throughout the organization.
Our commitment to cybersecurity awareness and preparedness has garnered national recognition, earning us an invitation to participate in NATO's Locked Shields, an annual cyber defense exercise for the third year in a row. The exercise presents a simulation of two nations engaging in a cyber security war, which includes simulation of real-life scenarios, including media manipulation and legal implications.
Having this kind of experience definitely gives us an opportunity to raise the bar even higher. Our organization's journey beyond traditional security training has yielded significant results, empowering our employees with practical knowledge and a proactive mindset. The evolving cybersecurity landscape requires constant adaptation, and we are committed to staying at the forefront of security practices to safeguard our and our client's well-being.