Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. We hosted this Session featuring a group of CXOs and other IT executives. The group met remotely to discuss the security-first digital transformation, led by the Intrapreneur, Vice President, Global Head of IoT Strategy of a Swedish multinational networking and telecommunications company. This Session was sponsored by Sonatype.
In today’s world, security can no longer be an afterthought. It needs to be made an intrinsic feature of software products from the very beginning. It’s also important to keep security top-of-mind while undergoing digital transformations. A security-first digital transformation is much more likely to succeed and sustain in the long term- especially now that cyberattacks occur more frequently than ever.
An executive said that they primarily see a security-last approach in the digital transformation efforts of most companies. When stakeholders hear about new cyberattacks on the news, they pay lip service to shifting left, but do nothing to make it happen.
Another speaker mentioned that certain companies don’t really know what they are doing regarding security. They will continuously scan for vulnerabilities in well-maintained open-source projects, but then use a base container image that will not receive updates. Making the wrong security decisions hurts digital transformation as productivity is reduced and lead time is increased.
Multiple participants talked about establishing a delicate balance between speed and security. This is especially relevant when maintaining open-source package repositories. For example, allowing anyone to publish to a public repository accessible by the whole internet will be really efficient- but also unsafe. Even though verifying publisher identities and domain ownerships may slow down the publishing process, it can’t be forgone.
Moreover, developers, these days are so focused on not reinventing the wheel that they will install whatever gets the job done as soon as possible. As a result, they may end up installing a package that could potentially have a backdoor way down the dependency tree. This is why it’s crucial to put an automated policy that checks open-source packages for risks and vulnerabilities before allowing developers to introduce them into the ecosystem.
An attendee remarked that the biggest challenge they face with third-party software is preventing zero-day vulnerabilities. Since their company provides globally used mission-critical modules, they find it risky to use open-source software that could have zero-day vulnerabilities. Instead, they prefer to build most of their components in-house.
Towards the end of the discussion, an executive exclaimed that we are never as scared as we need to be regarding cybersecurity. There are more sophisticated hacking tools available to malicious actors than ever before. The world is becoming increasingly automated and connected, but that’s also significantly expanding the attack surface and vulnerability points. This is why a security-first approach is vital for digital transformation efforts: build products and services that are intrinsically secure.