Regulation is Sabotaging Security: Here's What Needs to Change

This article was written by Adam Bruehl, Senior DevOps Engineer at Security Journey 

In the rapidly evolving world of software development, security concerns often take a back seat to the pressing demands of time-to-market pressure. This prioritization of speed can lead to a sidelining of application security, resulting in an increase in vulnerabilities making their way into production.

Surprisingly, regulations, although well-intentioned, can sometimes exacerbate the problem by perpetuating silos and encouraging a checklist-driven approach that hinders the broader goal of building secure products and protecting customer data.  

Risk on the Rise  

As businesses strive to meet the ever-increasing demands of the market, open-source components have become a fundamental part of software development. However, these components come with inherent risks, such as malware and vulnerabilities. In 2022 alone, developers made a staggering 3.1 trillion requests for third-party components from Java, JavaScript, Python, and .NET ecosystems, emphasizing the scale of this challenge.  

To put it into perspective, Linux Foundation study claims that the average application development project contains 49 vulnerabilities across 80 direct dependencies. If these vulnerabilities make their way into production, they become a potential target for bad actors, resulting in significant financial and reputational repercussions.

The threat landscape is further complicated by the dramatic increase in malicious packages uploaded to open-source ecosystems, a 633% year-on-year increase in 2022 and a staggering 742% rise compared to 2019 figures, as per industry data.  

Regulation Hinders Secure Development 

Regulations are often designed with an ideal world in mind, reflecting predominant industries and personas of the time. However, they can inadvertently lead to a tick-box mentality among compliance-focused teams. These regulations tend to codify a narrow focus on industry-average personas, unintentionally creating blind spots and introducing friction into the development process. Consequently, the bigger picture, including security, can be overlooked. Compliance becomes a perceived barrier rather than an enabler, which can assure customers and mitigate legal and financial risks.  

For instance, standards like SOC 2 do not explicitly call for ongoing training, even though it's essential for enhancing the security knowledge of software development lifecycle (SDLC) teams. The myopic focus on individual output and personas nurtures a siloed mentality that can be a hurdle to achieving strategic security outcomes. Each department operates within its defined goals, with each stakeholder's success measured by their subset of outputs. This mindset often leaves security as an afterthought, considered far too late in the SDLC. When regulations inadvertently reinforce this siloed thinking, the challenge becomes even more difficult to overcome.  

Read More: Get on the Road to Compliance+

Secure Coding is Everyone’s Responsibility  

The key to a more secure and robust SDLC lies in fostering a security-first mindset that emphasizes business outcomes. Everyone involved, from UX and QA to product management and software development, should be aligned with this vision. Security should not be "someone else's problem"; it should be a mission for all. The path to this inclusive and continuous security culture involves tailored role-based training for everyone across the SDLC. It should be tailored to each role and must be continuous—the threat landscape moves too fast to take an intermittent, one-size-fits-all approach. 

Creating a secure-by-design culture necessitates alignment across the business and a commitment to ensuring that all projects include security requirements alongside their core objectives. This can be achieved while still meeting regulatory objectives and requirements around liability. In a world where critical vulnerabilities are discovered weekly, a commitment to continuous security training can provide a significant competitive advantage.  

The battle to enhance application security is ongoing, and regulations, despite their noble intentions, can sometimes inadvertently hinder progress. The future of secure software development lies in breaking down siloes and fostering a security-first mindset throughout the entire SDLC. By prioritizing security education, tailoring it to specific roles, and ensuring a continuous approach, organizations can not only meet regulatory demands but also drive competitive advantage and build trust with their customers. It's time for a security revolution that makes security everyone's mission, not just someone else's problem.