Dell Technologies Talks Secure Development Life Cycle
Eric Baize, Dell Technologies‘ vice president of product and application security, was on hand at RSA to talk about the importance of having a secure development life cycle (SDL) process for software security. He’s responsible for ensuring security is built into technology from design to deployment.
Baize also talked the important steps organizations should take to create a software bill of materials and build it into their SDL process.
“Because customers are on the constant catch-up, what we see is that most cybersecurity attacks, whether it be a phishing attack or an intrusion, are most often rooted in either zero day, meaning a software vulnerability or a system which has not been patched, which is the same thing as it’s still a software vulnerability,” he said. “So the whole ecosystem is looking at security as, how can I
patch faster or can I be more effective? But nobody is looking at the root cause of this, which is, why do we have a software vulnerability in the first place.
“Every time you have a team patching a system, you have a team that developed software that created a bug that was a vulnerability. So the SDL is all about, how do we create secure software from the get-go, and how do we design systems, application products, thinking like an attacker, from a requirement, development and testing standpoint? It is about looking at solving the security problem at the root of the problem, not after it’s too late.”
In addition, a software bill of materials helps you understand where the code you have in the product is coming from, Baize said.
“All systems or products today are made of many components,” he said. “The reason it’s important is that if you understand where the components are from, first of all, you can understand what level of security was put in a component. You can make sure you have the latest up-to-date components deployed and you don’t leave open doors into your components. And also, if there’s an issue on the component, the vendor will know which product they have to update and match. So it’s an important practice.”
Baize equates it to being healthy.
“If you want to be healthy, there is not one pill you can take; that’s not the way it works,” he said. “You have to exercise, you have to eat well and you have to do the hygiene, and then you are more likely to be healthy. Now you may die anyway. You may have a vulnerability even if you do the secure SDL. The software bill of materials is one of these practices that makes your software a more secure software.”
The channel and partners have a role to play in software security by educating their customers, Baize said.
“So part of it is explaining, for instance, what security resources are available from a vendor,” he said. “From a Dell standpoint, part of our security life cycle requires that we issue a secure security configuration guide with each product so that customers know how to help harden the product.”