3 minute read
SECURING DIGITAL TRANSFORMATION BY DESIGN
CXO INSIGHT MIDDLE EAST, IN ASSOCIATION WITH CHECKMARX, ORGANISED A VIRTUAL C-LEVEL ROUNDTABLE TO DISCUSS THE KEY APPLICATION SECURITY TRENDS IN 2021.
The coronavirus pandemic has dramatically accelerated the pace of adoption of digital transformation across businesses of all types. However, as companies adopt new technologies and agile and DevOps methodologies to improve time to market, security issues continue to rise. Managing cybersecurity risks in the digital ecosystem requires enterprises to follow security-bydesign principles and build in security from the earliest point of software development.
Advertisement
CXO Insight ME rallied together some of the top IT and security leaders from the UAE to discuss the cybersecurity challenges in the wake of the Covid-19 related digital adoption and ways to improve application security.
Bhawani Singh, principal solution architect at Checkmarx, kicked off the discussion with security predictions for 2021. “The rapid push to DX has increased speed and app complexity, and at the same time, we are seeing a proliferation of applicationlevel attacks. The shift left movement is transferring security and IT ownership to developers. We are also seeing a shift towards open source and hackers find open source an easy way into organisations,” he said.
Referring to this, Hamad Musabeh, director of information security at Smart Dubai Government, said Covid-19 is forcing businesses to adapt to disruptions and market realities. “If you look at retail as an example, this sector had to implement web and mobile apps to meet customers’ demands in a record time during the lockdown, and this is where open source comes in handy. Security teams will have to keep these business requirements in mind and look to reduce risks associated with open source tools.”
Singh predicted that the demand for cloud-based security and proliferation of containers would increase the use of infrastructure as a code (IAC). “We also expect to see malicious actors exploiting developers’ missteps in these flexible environments.”
Pointing out the security risks associated with this trend, Mohamed Morsy, senior security engineer at Talabat, said hackers could exploit any unpatched vulnerability in the IAC pipeline processes. “You have to watch every step and have standard operating procedures for things like user privileges.”
Jurageswaran Shetty, security and infrastructure manager at Gulftainer, brought to the table another challenge facing the CISO community in the region. “We are seeing that SaaS providers are now getting compromised like in the case of Solarwinds. We see the emergence of in-memory malware that EDRs can’t detect. It’s time to protect against these risks by using CASB and cloud security applications.”
During the discussion, Illyas Kooliyankal, CISO of ADIB, spoke at length about the need for agile security. “We can divide security approaches into pre-and postcovid. Security has to enable business, and digital transformation and cloud adoption are going to continue. In fact, some forward-thinking businesses are adoption cloud-only approach for cost optimisation and speed of delivery. It is important for security leaders to be part of this journey. Security just can’t be an after thought.”
Another key prediction made by Checkmarx was around API security. With the move from monolith applications to microservices and containers, vulnerable APIs will be most responsible for software and application-related breaches. Though awareness around API security has improved, APIs will remain one of the top attack vectors for bad actors, said Singh.
Jeevan Badigari, information security and governance manager at Majid Al Futtaim, agreed with this point: “We have many digital initiatives that make use of APIs. The earlier three-tier architecture is no longer valid when you move to micro-services. We harmonise our API infrastructure and use API security gateways. It is still an unknown area and it is growing. We are all new to this game, and maturity is going to be key.”
Singh concluded his presentation by urging the participants to take a holistic view of applications to improve security posture and make security part of the development workflow. “If the security tool doesn’t integrate into your SDLC in as many ways as possible, reconsider. We train the developers to write secure code and the threat modeling part. Our platform will help you to improve your app sec posture.”
Other participants in the roundtable included: Taimur Ljlal,Head of Cloud Security & DevSecOps at Network International; Anoop Paudval, information security manager of Gulf News; Aliasgar Bohari, IT director at Zulekha Hospital; Kausar Mukeri, head of information security at Invest Bank; Shah Khan, IT manager of Emirates College of Technology; Muhammad Zia Rehman Principal Infrastructure Systems Engineer at Emirates News Agency; Sankar Ragothaman, head of architecture and innovations at Saal.ai; Shabir Bhat, regional sales director at Checkmarx; and Sagar Chopra, vice president, sales at RNS Technology Services.
