Secure by design is the concept of identifying security requirements upfront and during the architecture definition and design phases, and then ensuring that security is verified during the build and test phases before go-live. Similarly, regulations for privacy such as GDPR mandate the concept of privacy by design, which ensures consent is captured and managed via data collection. The personally identifiable information (PII) data captured requires protection from breaches and unauthorized access or usage and must be destroyed when no longer needed.
Organizations are developing enterprise-level security policies, design frameworks, guidelines and checklists, along with approved tools and components for usage across the organization. Established gating criteria and governance processes ensure that security is built into every technology initiative with any exceptions tracked for closure.
Secure architecture reviews and threat modeling helps to identify design and architecture flaws. DevSecOps adoption enables the identification and closure of weaknesses during the development and operation phases to improve product quality and reduce time to market. Organizations need a central team in place to provide white-listed components, as well as vet and approve any new open-source components teams wish to use.
Vendors like MS and Myappsec provide threat modeling tools, while Micro Focus, Qualys, Nessus, Rapid7, Veracode, CheckMark, SonarQube, Palo Alto, Onapsis and Black Duck scan and identify weaknesses. A central process and platform are needed to ensure governance and traceability for effective implementation of secure by design and secure SDLC.
A global software platform and services provider looked to strengthen their product security implementation processes. Infosys partnered with them to enable secure by design via an SDLC implementation for their product development lifecycle. DevSecOps was implemented for automated scans with continuous monitoring and support to reduce the cost of security inclusion and enable developer self-help.
ERP systems have been fundamental enablers and the epicenter of business. For decades, SAP and Oracle have been the largest ERP players. With enterprise assets and data collected, processed, analyzed and reported through ERP systems, they have been the target of frequent breaches. These threats have only increased with ERP applications moving to the cloud.
Given the nature of these applications, it is critical to detect and prevent unauthorized changes and configurations that expose an ERP’s vulnerabilities. Hence, holistic business-critical application security or ERP security is now a priority for CXOs.
Organizations need tools and processes in place to (a) detect and fix weaknesses in custom third-party applications, (b) continuously assess the IT controls to meet the compliance requirements and enforce configurations to harden the systems, (c) control and mitigate risks during change – be it routine code, application and system maintenance or patching or modernization to cloud and (d) get real-time visibility and alerts to respond to breaches.
Infosys helped a leading U.S.-based pharmaceutical company improve their SAP ERP security posture and reduce the cost of compliance by implementing the Onapsis platform and integrating an ITSM tool. Resulting benefits include continuous vulnerability scanning and alerts, improved workflows and compensating controls to maintain compliance between audits.
To keep yourself updated on the latest technology and industry trends subscribe to the Infosys Knowledge Institute’s publicationsCount me in!