The exponential rate of technological progress has brought along with it correlated exponential digital security crimes. In his book Future Crimes, Marc Goodman – former advisor to both the FBI and Interpol – writes:

“The fact that today’s technologies are exponential in their growth curves, not linear, is absolutely fundamental to understanding the next phase of human evolution. We are now in exponential times. …What might the next forty years bring? Much more good, and potentially much more evil than most of us could possibly imagine.”

Alongside the general exponential rate of overall technological growth, the speed of software development has increased as well, in the form of agile development environments.

I’m seeing some organizations who have proactively – or much more often, reactively – begun investing in cybersecurity to protect their company, their intellectual property, or their customers’ sensitive data. But security management in these agile frameworks is particularly complicated. Today, many development practices prioritize smaller, but more frequent product build updates. In fact, teams in some organizations may be pushing updates as often as every day. Because of this, the time and resources available to conduct necessary security testing have become highly limited, and security is often treated as an afterthought.

So how do you manage data security in fast-paced development environments from a business perspective? What tools are best to use? How do you mitigate security risks without delaying updates? Deja vu Security recently teamed with industry leaders for our second security summit to discuss the unique technological and business-related risks associated with agile development frameworks. Our distinguished speakers included security experts from ExtraHop, Oblivious.io, GE Healthcare, and other tech organizations. A few key takeaways that companies can leverage from the speakers’ expertise:

• Discuss and describe product security with stakeholders in a structured way. Analyze and document all attack surfaces, security relevant features, potential threats against resources and mitigations against those threats, test cases to verify mitigations—and then confirm understanding of each threat.
• Reflect on assets you need to protect such as customer data, secrets, privacy, integrity of device, and IP.
• Threat-model effectively with accurate, unambiguous diagrams of sufficient depth with assumptions clearly stated and dependencies identified. Threats should be well thought out and mitigations chosen and implemented appropriately.
• When assessing risk, assume the worst-case scenario. Always round up, track and apply the changing threat landscape. Don’t debate the “no brainer” issues, as attackers only need to find one vulnerability to wreak havoc, so careful focused analysis and understanding are key to informed prioritization and decision making.
• Put the customer first, use common sense, and demonstrate security leadership.
• When implementing security protocols, ask your team how quickly they’ve found security vulnerabilities.  Measure the time from when the vulnerability was introduced to when a fix was deployed. Look at existing feedback mechanisms, not only as to the type of feedback but the availability and visibility of that feedback. Integration will involve a lot of collaboration between team members since it affects dev process, build, deployment, and also requires its own maintenance. Humans are still very important in this cycle. Minimize the tedious day-to-day tasks to free humans up to focus on the things that they do best.
• People are famous for ignoring updates – ensure the team makes it a priority to take action on these items. This is a simple but effective preventative strategy.

Security can be a highly complex challenge, especially in agile development environments where speed and flexibility are key. But if there was one attitude at Deja vu Security’s Agile Security Summit, it was optimism. Building and maintaining security in agile environments requires extensive planning, a good deal of resources including finances and manpower, and willing leadership – but it also relies heavily on simple common sense. The industry leaders that lent their expertise at the summit drove both points home and helpfully laid out specific ideas, examples, and strategies they’ve implemented in their own organizations, and encouraged attendees to try them out for themselves.

I was honored to hear from these voices of leadership in cybersecurity and am looking forward to Deja vu Security’s third summit, coming up on September 20. The topic is “Scaling Smart,” and we’ll be discussing how to grow and scale while prioritizing and executing security plans. You can request an invite or submit a talk at dejavusecurity.com/events.