• With the continuous stream of data breaches, network disruptions, and ransom attacks, we have collectively begun to become desensitized to cybersecurity incidents of all sizes.  Nobody wants to be the next headline in the news as the unsuspecting victim.  As a result, chief information security officers (CISOs) and security teams are under increasing pressure to secure vulnerabilities and prevent attacks.

    Meanwhile, product teams and business managers are increasingly under pressure to make delivery commitments and meet deadlines. They don’t want to be in the news any more than their security colleagues.  However, priorities between the cybersecurity team and business teams are not always aligned.  Friction between mitigating security risks and making schedule deadlines often results in frustration and strained relationships. Keep reading for some approaches to bridge the gap between the cybersecurity team and business operations.

    1. Speak the Same Language

    Technical experts in different domains often encounter collaboration challenges due to the distinct jargon and terminology associated with their discipline.  Will software developers understand the output of a security scanning tool? Will InfoSec approvers understand the contents of an application log? 

    Speaking the same language doesn’t mean turning your software developers into forensic analysts.  However, it does mean that they should study and learn cybersecurity best practices for applications in their industry.  The best engineers know how to think like an attacker so that they can design and build the right mechanisms to foil attacks. Conversely, your cybersecurity professionals should know and understand the fundamentals of system architecture and engineering.  To achieve this end, you might need to establish IT centers of excellence, partner tech leaders across disciplines, or even temporarily embed team members into cross functional areas.

    Common language and understanding allows for substantive and meaningful engagements. It also fosters trust and credibility between teams for talking through requirements and constraints.

    2. Start Early

    The best mitigation for a potential vulnerability is to design it out of the system before it can be built-in. The security team is a key stakeholder to the project and their requirements should be included with business owner’s needs.  They should also be prioritized independently as part of the architecture runway. No completed iteration is truly deployable unless it is secure.

    You never want to be in the position of absorbing re-work due to security vulnerabilities.  An even worse prospect is to be forced into reactive mode due to an ongoing attack. Start your security work as early as possible.

    3. Plan for the Worst

    Zero trust security teaches us to trust nothing and inspect everything. However, all the required scanning will for sure take up time in the project schedule. Not to mention the time to needed mitigate the scan findings. Factor in time to work the vulnerabilities out of your system with proper coverage.

    4. Automate, Automate, Automate

    Built-In Security

    Integrate application security tools into your system value chain. These tools can be deployed early in your development cycle and provide the coverage needed to review modules and components for weak spots as they are being developed.  An important benefit, especially for government agencies, is that they can also save time by populating compliance documents with automatically detected security information and applied techniques.

    Continuous Assessment

    Integrate security configuration, testing, and validation into your CI/CD pipeline. This allows all teams to maintain ongoing awareness of compliance and vulnerability status. The real-time security data also provides for proactive management of vulnerability risk.

    5. Organize Strategically

    Is your organization properly staffed to deliver secure systems? Rapid delivery requires a complete engineering team staffed with information security experts. Without sufficient numbers, it’s common for the cybersecurity team to become overextended. Any approving entities must also be setup to review and adjudicate quickly. Review your allocations often and build up your cybersecurity team to keep pace with the flow of business.


    As your organization evaluates risk and exposure to cyber attacks, remember that there will always be new threats that can impact a business of any size.  When your operations and cybersecurity teams are at odds, no one wins. It’s incumbent upon leadership to foster the right balance of priorities, digital solutions, and team collaboration.

  • There was a time when you could buy software from a trusted vendor and have confidence that everything in the system was created from a safe source.  However, modern software is the product of a code supply chain. Creating and maintaining software built from scratch is simply too inefficient to sustain in a competitive time sensitive market. As a result, the following trends have been observed in commercially available software products:

    • 80% of the included code is open source
    • 18% of components incorporated from repositories contain known threats
    • 3M known vulnerabilities have no corresponding CVE
    • 66% have had a software supply chain attack within the last year

                                      *Sources: Sonatype, Crowdstrike, Grand View Research

    Meanwhile, software vendors are not exactly eager to share the “secret sauce” of how their products are assembled. Software consumers are under increasing pressure to protect their organizations from a rising accumulation of threats.  How does one assess the risk exposure of deploying someone else’s code? Even for software that you have paid for. This post will provide some ideas for managing software supply chain trust.

    Managing Trust

    The first step towards minimizing the risk of threat exposure is to understand your organization’s code supply chain. The automobile, electronic manufacturing, and pharmaceutical industries have long understood the need for provenance and veracity in their supply chains. Who are your vendors? What open source products do you use? What do you build on your own? Most importantly, what could come back to bite you?

    Scope out your supply chain by investigating and understanding how source code, configuration items, and packages get into your deployment pipeline.  This might be done by creating a simple diagram of the deployment architecture and then marking the accessible entry points. Once you have identified the vulnerable spots, create clear policies for those who have access and then enforce them. These policies should focus on:

    Repository Management: Create and enforce rules surrounding what is allowed to be stored in your software repositories, and how each repository is to be curated.

    Vulnerability Management: Constantly scan and assess for risks arising from third-party components and custom code libraries. Code should be scanned continuously throughout each stage of the life-cycle. We can recommend a number of quality scanning tools for each of type of artifact.

    Configuration Management: Create and enforce rules surrounding access management, passwords and secrets, audit logging, code promotion, deployment, and automated orchestration.

    The operations team must work closely with development and security to effectively review alerts and respond accordingly.  There is no substitute for active risk assessment and policy enforcement.

    Modeling and Simulation

    Even in an ideal setup, your system of security alerts and policy violations can only provide a reactive, rearview picture of what has already happened within your software pipeline. Some challenges to a SIEM-only based compliance approach include:

    • Misconfigured security controls due to lack of contextual knowledge, frequent changes that impact other security controls, and unavoidable administrative errors
    • Missing security controls due to lack of understanding of the threat environment, risk priority understanding, or available operational budget
    • Inability to patch due to potential impact to business operations. Many systems cannot simply be patched at will.

    By the time you are able to respond, the attack is already underway. The total damage inflicted becomes a function of how quickly you respond to and contain the attack once you have detected it.

    Modeling and simulation solutions form the proactive arm of your security strategy.  This approach has been used for many years in practical applications such as weather forecasting, power grid management, automotive engineering, structural architecture design, forensics analysis, flight training, and medical procedures.

    How Does it Work?

    The process starts by creating a replica of your environment. This will typically include representative constructs for the system infrastructure, applied security controls, known vulnerabilities, architecture components, and threats. For example, you might want to create a malware attack model where you include:

    • Comparisons of known malware
    • Network packet flow
    • Application behavioral profiles
    • System event history
    • Authentication credentials and signatures
    • User session flows

    Another example might be to create an insider threat model where you include

    • Human resource data
    • Individual behavioral profiles
    • RBAC tables
    • User activity logs
    • Exploit time windows

    Once a suitable model is in place, executing simulated attack scenarios allows you to safely assess the preparedness of your system.  The use of simulation technology affords the ability to run numerous complex attack scenarios quickly. The results of which will highlight the probability of compromise and potential damage associated with an attack.

    Now that we have actionable intelligence regarding potential attacks we can take the following proactive steps:

    • Identify the available countermeasures for each compromise that occurred during simulation
    • Prioritize the mitigation of vulnerabilities to maximize the efficiency of organizational resources in implementing security solutions
    • Remediate the vulnerabilities and check their effectiveness by running new simulations
    • Track progress and continue to update the model as the architecture and system configuration evolve

    Answer: Don't Trust Anything

    The question posed in the title of this post is largely in jest. For modern software, it’s almost never wise to implicitly trust anything in your supply chain. Validate the trustworthiness of every element. Nothing should ever be allowed to move through your system without restriction. It’s true that a zero trust model can be complex to implement. However, the days of being able to take chances with external and internal threats have gone by the wayside.


    Open source software is a powerful engine for innovation, and the best developers in the world leverage it effectively. However, as responsible IT leaders within organizations that rely on us to keep them safe, we simply can’t ignore the associated security concerns. Through continuous monitoring and automated assessment, organizations are finding ways to stay ahead of cyber threats and are managing to significantly reduce the risk of being exposed. Risk modeling and attack simulation technologies allow us as IT professionals to visualize and simulate the interaction of our system with a potential attack. By repeating the analysis frequently, organizations are minimizing their overall risk while protecting their core business and most sensitive data.

About Us

Welcome to your expectations exceeded. Choice Consulting Associates is a full service IT solutions provider based in the Washington DC metropolitan area.  

Through innovation, we help organizations unleash the power of technology to bolster their success.   

Our Company

  • About Us
  • Our Services
  • This email address is being protected from spambots. You need JavaScript enabled to view it.

Recent Tweets

Great guide with everything you need to #staysecure while working from home. #cyberawareness #WorkFromHome

@SANSInstitute has a great guide with everything you need to #staysecure while working from home. #cyberawareness…

Follow Choice Consulting on Twitter

Get in Touch

137 National Plaza, Suite 300           National Harbor, Maryland 20745

(240) 273-3146

This email address is being protected from spambots. You need JavaScript enabled to view it.