January 7, 2022

What Developers Need to Know About the Impact of Compliance Frameworks on Software Development

Deepfactor's brand-new compliance module helps developers identify when vulnerabilities and security risk jeopardize compliance goals

Andrew Horrigan, Technical Product Marketing, Deepfactor

SANS 2022 DevSecOps Survey

Create a culture to significantly improve your organization’s security posture.

Download Now >

For today’s digital businesses, protecting customer data should be a top priority. However, as product teams focus on optimization, personalization, and user experience, many businesses are not prepared with the right strategy and execution plan to ensure the security and privacy of customer data. This can jeopardize business operations; lead to severe fines and penalties; and—most importantly—damage the trust and loyalty of customers.

What Developers Need to Know About the Impact of Compliance Frameworks on Software Development

Image courtesy of Bloomberg

– Bloomberg

Thankfully, businesses can prioritize data security by following a number of compliance and regulation frameworks, such as PCI DSS, SOC 2 and GDPR. These regulatory requirements ensure an organization is complying with industry-specific, minimum security-related requirements to protect customer data, ensure privacy, and sustain efficiency.

For many IT organizations, successfully reaching and maintaining compliance requirements remains a top priority with CIOs hoping to ingrain company culture with good cybersecurity and data management practices to ensure application security risks are discovered before releasing into production.

Compliance vs Security

For maximum protection, companies should understand that compliance is not the same thing as security—however, security is a BIG part of compliance! Whereas compliance is focused on meeting external/third-party regulatory requirements (frameworks) to ensure the protection of data collected and managed by the company, security is a set of technical systems, tools, and processes used to protect and defend the information and technology assets of an enterprise. More simply, becoming secure and compliant means securing information assets, preventing damage, protecting it, and detecting security incidents. These are the core tenets of cybersecurity teams, as they work to implement technical frameworks and achieve compliance.

The Next Chapter of Compliance

However, with cloud native development accelerating application release frequency and complexity, regulators, auditors, and enterprises are quickly realizing there’s a new area of focus for compliance—application security.

According to Verizon’s Data Breach Investigations Report 2021, web applications account for over 80% of data breaches, with hackers abusing complex applications and complicated supply chains to gain access to vulnerable systems. In the IBM Security Cost of a Data Breach Report 2021 —conducted by Ponemon Institute—the United States average total cost of a data breach is $9.05m, with 38% attributed to “increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.”

It’s for this reason that many regulators and industry standards bodies are introducing requirements related to application development practices. For example, both SOC 2 and the PCI DSS standard now require some variation of the following:

  • That organizations “develop applications based on secure coding guidelines” and prevent coding vulnerabilities such as injection flaws, buffer overflows, improper error handling, and cross-site scripting.
  • That organizations conduct timely software patching for all deployed operating systems, container images, applications, and firmware— especially those with vulnerabilities.
  • That organizations implement cryptographic key management controls to protect the confidentiality, integrity, and availability of credentials.

DevSec-“Compliance”-Ops

Given the impact complex environments and applications can have on compliance, many organizations are implementing initiatives—such as DevSecOps—to encourage developers to identify and remediate vulnerabilities and configuration issues early in the software development life cycle (SDLC). With breaches averaging 287 days undiscovered (IBM), ensuring security is present during every stage of the SDLC means software can be delivered and released faster while reducing the impact to compliance objectives.

Unfortunately, understanding the relationship between application security and compliance risks can be extremely challenging for developers. Many regulatory requirements have misleading and confusing guidelines and there’s no authoritative source on industry best practices. For example, just reading the example framework requirements above would lead the average developer to ask many questions:

What are “secure coding guidelines,” and who defines/enforces them?

What is considered “timely,” and how can we prioritize which vulnerable components to upgrade? How do we ensure the “confidentiality, integrity and availability of credentials?”

And most importantly …

How does this impact our organization’s compliance objectives … and what can I do about it?

 

Click the link below to register for the companion webinar:
“What Developers Need to Know About the Impact of Compliance Frameworks on Software Development”

 

Deepfactor Introduces a Compliance Module

Last May, President Biden’s Executive Order on Improving the Nation’s Cybersecurity (May 2021) highlighted the value of SBOMs by reinforcing the importance of providing developers with “a formal record containing the details and supply chain relationships of various components used in building software .. [to allow] the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.” For that reason, last June we released our Runtime Software Bill of Materials (SBOM) module to help developers catalog software dependencies—including open source and 3rd party—and OS packages used by the application; along with licensing information and runtime metrics such as processes, ports, files, and network connections.

Understanding your application’s supply chain is an important “first-step” for any compliance framework. However—as explained earlier—we knew developers and engineering teams needed even more information to ensure their applications and infrastructure met the business’ requirements and goals for compliance. Thus, just before the holidays, we released Deepfactor 2.1, and introduced our brand-new compliance module.

 

2022-01-04_21-20-16-png-1

 

This module helps developers assess compliance status for applications by mapping our alerts—System Call Risks, Behavior Violations, and Vulnerabilities—to the Secure Control Framework (SCF). The following excerpt from the SCF homepage explains the framework in greater detail:

“The (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications .. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the less than 750 controls that makeup the SCF .. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.”

Armed with this information, developers now understand the impact application security might have on their company’s compliance goals. For example, Deepfactor can alert when environment variables are detected containing possibly sensitive information such as user IDs, passwords, credentials, secrets, etc. According to the SCF, this would violate the following SCF Control:

 

Cryptographic Key ManagementMechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.

Deepfactor’s new compliance module can:

  1. Alert developers on every occurrence when applications violate this SCF Control
  2. Identify which compliance frameworks are jeopardized by the violation(s)
  3. Provide direction to developers on remediation and education.

 

See below for an example—when sensitive information is discovered in the application’s environment variable, Deepfactor notifies the developer of the risk to compliance:

Secure Configuration – PCI DSS v3.2(3.5-3.5.4, 3.6-3.6.8) / SOC 2 Type 2(CC6.1)

 

Armed with this information, development teams now have greater visibility and understanding into the potential impact of system call risks, behavior violations, and vulnerabilities!

 

Helping Your Developers Write Compliant Code

With applications releasing faster than ever, many organizations are struggling to manage vulnerability and security risks across the SDLC, particularly the impact on top-down initiatives such as compliance. Deepfactor integrates into developers’ existing toolchains to deliver application-aware security insights with detailed information about application behavior, system calls, and stack traces that help pinpoint vulnerable code. This information is used to simplify and accelerate the adoption of DevSecOps by empowering engineering teams to develop secure, cloud native applications based on industry-standard compliance frameworks.

Visit our Release Notes for more information about our latest releases. And if you would like to learn more about Deepfactor’s new module and see it in action, join our webinar, “What Developers Need to Know About the Impact of Compliance Frameworks on Software Development,” Tuesday, January 25, 2pm ET / 11am PT. 

SANS 2022 DevSecOps Survey

Create a culture to significantly improve your organization’s security posture.

Download Now >

About the Author

Andrew Horrigan, Technical Product Marketing, Deepfactor

Subscribe to our monthly eNewsletter and stay up-to-date on everything Deepfactor has to offer!