Recap: Building Security Into Products: How Developers Can Bulletproof Their Tech
Corporations spend millions every year to ward off and defend against cyberattacks. Those costs increase as hackers evolve their attacks, moving so fast that it often leaves security professionals playing catch-up. The cost to an organization’s bottom line—and its reputation—can be disastrous.
But what if security was built right into the product development process? In partnership with Accenture, Aaron Holmes of The Information explored this question with three leaders in the field:
- David Cooper, managing director, security and technology, Accenture
- Yinon Costica, co-founder and vice president of product, Wiz
- Kurt Sauer, group vice president and chief information security officer, DocuSign
The Current State of Cybersecurity
Aaron Holmes opened the conversation by asking panelists about the general cyberthreat landscape.
Yinon Costica was the first to take on the question: “I think nation-states will continue to be superactive, especially this year, when we anticipate more elections.”
Kurt Sauer said we need to learn from old mistakes: “We have to be taking engrams of the past and putting it into how we’re developing our software in the future.”
And David Cooper stressed the importance of baking security right into the product itself: “Product is absolutely critical, because that’s what a lot of the bad guys are after.”
Build It Better From the Beginning
Considering security more deeply during the product development phase can speed time to market.
As Cooper said, “It’s a shared responsibility between the security engineers and the product engineers to work together and get it right the first time. Once that’s achieved, you don’t have security reviews holding the product up for six months.”
Costica believes illustrating the consequences of an unsecure practice gives a real wake-up call to developers. “When they see what good looks like and what bad looks like, developers are much more incentivized to do the right thing earlier.” He added, “We’re seeing a shift in the role of security from being a blocker to enabling an entire organization to build faster and adopt new technologies. It’s an exciting time for security.”
Deeply Considering Costs
Despite the fact that companies are spending more on cybersecurity, large breaches are still happening, so buyers are looking more deeply into the products they buy.
As Cooper laid out, “They used to be told security needs more millions this year, and they’d just write the check. Now they’re saying, ‘Wait a second. How do we know we’re getting the value? And how do we know the tools are doing the job that we need?’ It’s a really interesting shift in how companies are thinking about their security purchases.”
Using AI for Good…and Evil
When it comes to security breaches, time is a critical element—and that’s where new tools like artificial intelligence come in. AI can help locate vulnerabilities much faster, allowing security to resolve breaches before they become crippling.
But bad actors are using AI as well to create and spread phishing emails at a much faster rate and bigger scope. Given the proliferation of threats, Sauer thinks it’s impossible for humans to find every weakness on their own. “We as security leaders have to start thinking about the cognitive abilities of our workforces to be able to understand the threat, because it’s at a point where security experts are having a difficult time identifying the security threats. So I think we have to rely on automation.”
Cooper said, “[Generative] AI dramatically cuts the time it takes us to respond to breaches. Now we’re going to our clients in a couple of hours because we’re able to provide a basic analysis faster. What we’ve seen is a higher speed and a higher fidelity, at the same or less cost.” He added that it’s a boon for developers too, with new tools allowing them to quickly add critical security features to products from the start.
Security Is Liberating
While hackers will continue to grow more sophisticated, so too will security professionals and product developers. But if a business mitigates risk by baking security measures right into the product from the beginning, it can block attacks before they start. Reducing risk frees up budget constraints and time to allow companies to do what they do best: creating wildly innovative, world-changing products.