Agile security measures for agile business models
At Agile Leadership Day, Christina Kistler, CCO and Rolf Wagner, COO of GObugfree AG spoke about the increasing threat of cybercrime and how agile security approaches such as Shift Left, Continuous Testing with Bug Bounty and Zero Trust Architecture can provide companies with proactive, holistic and systemic protection.
Every day we read of a new cyber attack. Digitalization enables innovative business models and with agile development methods, new functionalities are continuously released. However, this dynamic is increasingly leading to vulnerabilities that cybercriminals are exploiting - and for which conventional security measures appear to have reached their limits. As system complexity increases, existing security measures often fail to keep pace.
Cybercrime is a growing threat
In recent years, cyber attacks have increased in number, sophistication, and impact. Globally, cybercrime is the fastest growing form of crime and, in 2021, the global cost of cybercrime was over $6 trillion. Small and medium-sized enterprises (SMEs) often lack the resources and budget to adequately protect themselves against cyber attacks. According to a 2021 ZHAW study (Pugnetti-Casian-Cyber Risks and Swiss SMEs), one third of Swiss SMEs have already been victims of cyber attacks.
IT security: hindrance or enabler?
IT security, much like compliance or legal issues, is often seen as a hindrance. For it to become an enabler, security must be forward-looking and cybersecurity capabilities must be built proactively. Just as other areas of the business have adapted in the wake of agility to enable faster time to market and higher quality, so too must IT security. Done right, agile security measures support an organization with business agility - to change its direction and position quickly and in a controlled manner.
Three examples of agile security measures: Shift Left, Continuous Testing, and Zero Trust Architecture
As with agility in general, the most important thing in IT security is the underlying mindset. The European and new Swiss data protection laws implicitly call for "security by design" and "security by default". Protection must be proactive, holistic and systematic.
The principle of Shift Left is about taking a task that is traditionally done at a later stage in the process and performing it at an earlier stage. This allows errors to be detected earlier and corrected more cost-effectively.
The Shift Left approach saves oneself and the customer a great deal of effort in finding and fixing vulnerabilities. Quality / security awareness pays off and therefore a lot is invested in the training and security awareness of the employees. This pays off in the end.
Continuous Security Testing, Bug Bounty
If you develop in an agile manner and constantly release new functions, you should also test this constantly. Automated pentesting or vulnerability scanning as well as bug bounty programs offer protection here. A bug bounty program is a cost-effective method of identifying vulnerabilities. Under this approach, Friendly Hackers search for vulnerabilities in the system. They report their findings and are rewarded with a monetary amount (bounty).
Zero Trust Architecture: “Never trust, always verify”
Instead of focusing on the static defense of network perimeters, the Zero Trust security model focuses on the context-sensitive and adaptive protection of corporate resources. Per se, it is not a perimeter that is worth protecting, but a resource, a workload exactly where it is. Zero Trust enables scalable security, which allows the use of highly standardized and automated cloud services.
Bringing it all together
Bug bounty programs are a cost-effective way for continuous outside-of-the-box security testing. But they should not be the only security measure. Software and security bugs can be discovered at various stages of the product life cycle. Already in the earlier stages of development, measures such as security awareness training and ensuring IT security experts are closely involved in the design of new applications. Code reviews, security audits, pentesting also belong in the mix. In the end, it’s about doing as much as you can to protect yourself. In the words of Kevin Mitnick, IT “You can never protect yourself 100%. What you do is protect yourself as much as possible.”