The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

We all know it: It’s hard to do anything that is not enabled, at some level, by software. Yet software security failures continue to multiply, putting much of our lives in jeopardy. To stem the tide of security flaws that creep inexorably into software products, a new position must be created: Chief Product Security Officer (CPSO).

“We need a new individual to span many different departments – engineering, compliance, supplier management, information risk,” said Chris Wysopal, founder and CTO of Veracode, a maker of secure software development tools. “The CISO model doesn’t fit. That’s why we’re calling for a CPSO now,” he added. Wysopal’s remarks came during a virtual session at the online RSA Conference 2021.

“Software trustworthiness – or lack of trustworthiness – is on everyone’s mind,” said Joshua Corman, chief strategist for the healthcare sector at CISA, the federal agency charged with improving cyber security in the US, who shared the virtual session with Wysopal. “Software failure has been growing in variety and impact, causing increasing regulatory and legal response and board-level concern,” said Corman.

“SolarWinds captured the attention and political will of many stakeholders in government,” Corman continued, referring to the so-called supply chain breach in which hackers corrupted routine software updates with malicious software, opening up backdoor access to victims’ systems.

Over time, the purposes of software have evolved, from speeding up repetitive business tasks through automation, to becoming a product that is used interactively by customers. “Software is taking over processes that used to be manual or back-office and adding a lot of risk to them. A mobile banking app is more risky than talking to a teller. The software we’re building now is adding a lot of risk to the world,” said Wysopal.

The increase in risk is due to the growth of the “attack surface,” or the number of points, including internet of things (IoT) devices, at which an organization can be penetrated, said the panelists. The widespread use of APIs adds to the problem. “Exposed APIs need to be secured, but APIs are now the bloodstream of an application. They are pervasive, and they create more attack surface,” said Wysopal.

The use of open-source software is another vector through which bad code can make its way into finished products. “Seventy percent of all applications have a security flaw that has been inherited by open source,” asserted Wysopal. Once bad code becomes part of the software supply chain, the possibilities of havoc are virtually unlimited. “A flaw way down in the bowels can create vulnerabilities downstream,” said Corman.

To keep tabs on different software components and their origins, a software bill of materials (SBOM) is needed. Such a list is now table stakes for selling high-consequence software to the federal government, said the CISA official. The discipline of creating an SBOM can go a long way to improving the security of software, Corman maintained. The approach is much like that advocated by W. Edwards Deming to improve product quality by using fewer and better parts suppliers. “Only use the freshest of ingredients in the food we produce, so to speak,” said Corman.

Who could be a CPSO?

As for who might fill the vital role of CPSO, the most qualified individuals would have the ability to take two views of software security – that of the developer and that of an overall risk manager. “A lot of people might be in the middle of the skill set. You have to engage with the individual developer to find and fix things in the code, but you have to also take the bigger picture with regard to risk,” said Wysopal. Although CISOs think in terms of enterprise risk management, product security teams don’t think that way, he explained, adding, “The CPSO needs to bulk up in both these areas.”

Turning the tables

While the increasing use of automation in software development tends to introduce security flaws into the final product, a savvy CPSO can turn that very automation to advantage.  “Developers are hyper-automating to eliminate manual processes. But a CPSO can take advantage and move secure processes into this model,” Wysopal contended. By implementing security and compliance as code, developers can make fixing bugs faster and cheaper, he explained.

Making it happen

Despite the demonstrable necessity of the CPSO position, hurdles such as funding are likely to stand in the way at many companies. To make the case to the C-suite, IT leaders should present detailed reasons. “Come up with objective criteria with regard to what touches revenue and rank those according to risk,” Corman urged. Once the argument has been won, a single strong leader will be needed. “You’ll have to find champions, because you’re not going to get a big team for this,” said Corman.