Shifting left and right, innovating product security

In this Help Net Security interview, Slava Bronfman, CEO at Cybellum, discusses approaches for achieving product security throughout a device’s entire lifecycle, fostering collaboration across business units and product lines, ensuring transparency and security in the supply chain, and meeting regulatory requirements while ensuring compliance.

Slava Bronfman

What innovative approaches can companies take to ensure the security of their products in an ever-evolving technological landscape, and how can these measures be continuously improved to stay ahead of potential threats?

The key to ensure a high level of product security in an ever-evolving landscape is to shift both left and right. This approach ensures that product security practices are continuous throughout a device’s full lifecycle, not just every now and then.

Shifting left is not a new concept. Developers, managers, and all relevant stakeholders must address vulnerabilities and consider what’s going into their products from an early stage. This sentiment is echoed in CISA’s new SBOM Guidelines that require an SBOM to be developed as early as conception so that vulnerabilities can be identified before they ever enter a device. In addition, this information allows for teams to conduct Threat Assessment and Remediation Analysis (TARA) earlier, minimizing risk.

Now, shifting right is a bit different. Shifting right requires teams to simply accept that we don’t know what kind of vulnerabilities the future holds. For this reason, shifting right is not about finding things to address at a later date. To the contrary, it’s about putting in safety measures now so that teams can keep their software ready for remote updates whenever a demand arises post-deployment. These routine checks means teams can react to new vulnerabilities quickly, taking action before they turn into breaches.

Many of today’s connected products receive over the air or some kind of mid-life software update, either to address cybersecurity vulnerabilities or to add software-defined functionality. With a product security-focused platform, teams can continuously run vulnerability scans without needing physical access to the device, allowing practitioners to continuously improve their device and keep their customers secure.

What strategies and tools can organizations implement to efficiently orchestrate the end-to-end SBOM process, including merging multiple SBOMs, validating the data, and collaborating across all business units and product lines, to ensure greater transparency and security throughout their supply chain?

The best strategy to manage SBOMs, including generation, validation, updating, and collaboration is to consolidate the tools needed for these tasks.

Whether managing Software Bills of Material with an SBOM-specific software or keeping them in a spreadsheet (which if so, we should have a chat), SBOMs become complicated quickly. Consider that an SBOM is a list of the dozens or more software components that go into a device. Then, the device will be embedded into a greater system that has tens of other components. The number of SBOMs that need to be managed quickly jumps into the hundreds- just for one standalone device. The challenge grows exponentially once you consider the scores or hundreds of devices, along with the frequent changes they undergo throughout the development process. It’s a mind boggling concern.

Integrating a holistic product security platform throughout the development process will allow for security management in one central location throughout the entire lifecycle of a device.

Now, SBOM generation is just the first action in a multi-step automated workflow that looks beyond the software component list. In these workflows parties are notified of changes, SBOMs are approved and validated, and threat monitoring is all conducted in a central location. At this point, relevant players can have access to the latest SBOM, VEX, threat analysis, and even compliance reports, all with the central oversight of the Chief Product Security Officer (CPSO).

How can organizations leverage pre-built mapping of standards to effectively meet regulatory requirements while ensuring compliance across all levels of their operations and minimizing the risk of costly penalties and reputational damage?

Second to harm to life or limb, reputational damage is what keeps CPSOs up at night.

The approach that we took at Cybellum to address this challenge is to place regulations, standards, and internal policies as pieces of our product security workflow. While each task can be conducted manually, we set up an automated process that allows companies to analyze their products by creating an SBOM, analyzing software components for vulnerabilities, generating VEX reports, and ultimately creating regulator-ready documentation to ensure all aspects of the software are up to par.

Teams can use this same process to set their own internal standards and ensure they are met, just like industry regulations. This minimizes the risk of damage since teams don’t need to wait for an event to audit their devices. Instead, it can be set to be conducted on a regular basis, allowing CPSOs to review the findings and mitigate newly discovered vulnerabilities before they become greater risks.

How does the Cybellum platform address the unique pain points and needs of its users, and what features and capabilities does it offer that distinguish it from other solutions in the marketplace?

Cybellum’s Product Security Platform was designed specifically to address the needs of product security teams with embedded devices in mind. It encompasses the main activities in a product security workflow and fosters collaboration between security, product assurance, developers, and GRC teams. This approach allows teams to analyze risks in the context of their cyber-physical devices, unlike generic cybersecurity tools that fail to understand the context of a full device.

We are aware that Product security is still a relatively new discipline in the world of cybersecurity. While our platform is mature, our users are in various stages in their product security journey.

With this in mind, we not only offer great functionality and holistic security capabilities as mentioned earlier, we also focus on the management aspect through overview dashboards.

From here, CPSOs can access:

  • Our corporate overview, giving them insights into SBOM and security progress broken down by business unit, team, and more.
  • A risk overview that identifies a product’s security posture against publicly known vulnerabilities, zero days, and even violated policies that need quick attention.
  • And also a compliance center that runs checks against specific products to give an idea of the organizations standing alongside their internal quality requirements.

Now that all of this information is generated and available within a single platform, we’ve also added enhanced incident response capability so that Product Security Incident Response Teams (PSIRTs) have all the information they need within a few clicks to monitor for new vulnerabilities, understand which products are impacted, and conduct investigations. These activities save them time during the most critical moments right after a vulnerability is discovered.

Don't miss