Vulnerability management

Trend 9: SBD adoption embeds security early and ensures digital trust

SBD identifies and verifies security requirements during the build and test phases before go-live. Similarly, privacy regulations, such as GDPR, mandate PbD, ensuring the consent is captured and managed via data collection. The personally identifiable information must be secured while in use and destroyed when no longer needed.

Organizations are developing enterprise-level security policies, design frameworks, guidelines, and checklists, along with approved tools and components. Established gating criteria and governance processes ensure required security measures.

Secure architecture reviews and threat modeling identify design and architecture flaws. DevSecOps enables the identification and closure of weaknesses during the development and operation phases. Organizations need a central team to provide whitelisted components and to vet and approve any new open source components, if required.

Vendors such as Microsoft and Myappsec provide threat modeling tools, while Micro Focus, Qualys, Nessus, Rapid7, Veracode, CheckMark, SonarQube, Palo Alto, Onapsis, and Black Duck scan and identify weaknesses. A central process and platform are needed to ensure governance and traceability for effective implementation of SBD and secure SDLC.

A global software platform and services provider wanted to strengthen its product security implementation processes. Infosys helped the company enable SBD through SDLC implementation for its product development life cycle. DevSecOps was implemented for automated scans with continuous monitoring to reduce the cost of security inclusion and enable developer self-help.

Vulnerability management

Trend 10: Enterprise resource planning (ERP) on cloud adoption emphasizes business-critical ERP application security

With ERP solutions now exposed to the cloud, hacker activities have significantly increased. While ERP vendors have native solutions, there are niche solutions from vendors such as Onapsis that provide end-to-end protection of business-critical ERP solutions.

It is critical to detect and prevent unauthorized changes and configurations that expose an ERP solution's vulnerabilities. Hence, holistic businesscritical application security or ERP security is now a priority for CXOs.

Organizations need tools and processes to detect and fix weaknesses in custom third-party applications; continuously assess IT controls to meet compliance requirements and enforce configurations to harden the systems; control and mitigate risks during change, be it routine code, application, and system maintenance or patching or modernization to the cloud; and get real-time visibility and alerts to respond to breaches.

A leading U.S.-based pharmaceutical company wanted to improve its SAP ERP security posture and reduce compliance cost. It partnered with Infosys to implement the Onapsis platform and integrate an IT service management tool. The company benefited from continuous vulnerability scanning and alerts, improved workflows, and compensating controls to maintain compliance between audits.

Vulnerability management

Trend 11: Ticketless infrastructure VM minimizes manual efforts

Infrastructure vulnerabilities are identified using automated scanning tools in real time. Postidentification, the critical step is to prioritize and remediate the vulnerabilities. The tracking and assignment of these vulnerabilities were done manually using spreadsheets until the recent past.

The ticketless (self-service) and platform-based VM requires no manual effort. Using the shift-left approach, remediation teams and asset owners are given access to vulnerability dashboards designed specifically for them. They can analyze vulnerabilities in the assets owned by them and work on remediation accordingly. This makes vulnerability tracking error-free, providing more time to the remediation team to fix vulnerabilities.

A European postal services company wanted to reduce time, effort, and cost of its VM and remediation processes. The company leveraged Infosys' Cyber Scan platform to implement ticketless VM and establish a more secure infrastructure.

Subscribe

To keep yourself updated on the latest technology and industry trends subscribe to the Infosys Knowledge Institute's publications

Infosys TechCompass