A CISO's Guide to Code Resilience with ASPM
ASPM Nation 2.0 brought together top CISOs, practitioners, and industry experts from companies like TikTok, Cisco, Roche, Intermex and more to discuss the future of Application Security Posture Management (ASPM).
Across eight insightful sessions, speakers shared critical strategies and tools to help businesses strengthen their AppSec posture and align security with business objectives.
Check out Session #8: A CISO's Guide to Code Resilience with ASPM
Have questions or
want a custom demo?
Get a personalized demo and learn how you can develop secure software, faster with Cycode.
Lior Levy:
Hey, everyone. And welcome to our closing keynote. I’m Lior Levy, Co-Founder and CEO of Cycode, and I’m excited to welcome Roland Cloutier to our virtual stage. Roland is a globally recognized technology and security leader with deep understanding of global protection and security of critical infrastructure at some of the largest corporations in the world, including EMC, ADP and TikTok. Roland’s most recent role as Global Chief Security Officer at TikTok gave him a first-hand experience securing one of the most innovative organizations in the world. At TikTok, he was responsible for cyber information protection, data defense, operational risk and much more. So I can think of no one better to discuss Cycode Guide to Code Resilience with ASPM. So Roland, welcome. It’s great to have you with us today.
Roland Cloutier:
Hey, Lior, thanks for having me. This is a topic I love talking about, so looking forward to today’s chat.
Lior Levy:
Likewise. So to set the stage for our audience, you’ve protected some of the most complex code bases in the world as your role as the CSO at TikTok, ADP and EMC. What have you learned about how to innovate and develop applications at speed without compromising on security?
Roland Cloutier:
Well, I think there’s a lot to it, but I can probably boil it down to three core things that you have to have. One is transparency. We always say in security you can’t [inaudible 00:01:25]. So understanding where your code bases are, the infrastructure pipelines that create the app dev environment is critically important to how you can and should [inaudible 00:01:38] organization’s code and application program sets.
The next area is you really have to engage in the totality of the environment of the dev environment. Meaning you can’t just have structured infrastructure adjacent or parallel to your app dev or your coding organizations. You literally have to be constructed within them for it to really work and work at speed. And the third area I would say is to have the right technology in place that can inform you and your “internal customers,” if you will, about the risks, about the information that your tools and technologies are finding. So you have to take the entire ecosystem of vulnerabilities, infrastructure, data assets into context to be able to make better, faster decisions with the amount of information and code coming at you. So those are probably the three basic things I should say that people should start with.
Lior Levy:
Yeah. So in your mind, what role does that code quality play in business success and resilience?
Roland Cloutier:
Well, personally, I think code quality is everything, especially in a digital company and digital organization. It’s like asking what does the quality of food have to do with the restaurant you’re eating at. It’s everything. Or what is the patient safety and success rate of a surgery at a hospital? Well, it’s everything, right? You don’t want to leave a hospital in worse shape than you went in. So I think specifically to code in digital businesses, if people, and I love the word you use, Lior, that security as a component of quality. The totality of quality measures shouldn’t be measured just on security alone, but many, many things. But security first and foremost for it to be successful is going to have to protect the entrusted data and platform that people are using.
And the resiliency aspects of that, ensuring that people get what they pay for and that the operations that is your business is consistent, operating and able to ensure that your [inaudible 00:04:05] interests are met are all super important in a digital business. And whether it’s from infrastructure to applications, to you can be in a hardware business and that code within the hardware sets really super critical. So yeah, I can’t see separating security as a component of quality from your ability to be successful in the market and to be resilient in your operations.
Lior Levy:
Yeah, absolutely agree. Also, in a recent article, you refer to code repos, assets and the ability to validate security of code as the organization’s crown jewels. Can you expand that today?
Roland Cloutier:
So many times, we’ve always talked about crown jewels in defending a business to be able to prioritize the defensive posture you have to put in place. To prioritize many, many things. We talk about business assets that are the crown jewels. When organizations take a step back and realize that the entirety of their digital business is based on code, and again, whether it be their product go-to-market applications, their backend enterprise infrastructure, their connections to their supplier ecosystem through APIs, it’s all code. And so I think you have to prioritize the defense of the code that is your business in a way that we used to think about our ERP systems or our intellectual property that houses the Coca-Cola code, so to speak, the secrets of the company. Code are those secrets. Code is what operates your business and takes you to market. So you have to treat it as such.
Lior Levy:
Yeah, funny anecdote, when we initially started Cycode, well, what we realized in the market is how can we protect source code as we thought that is one of the most important assets that an organization had and we couldn’t find any tools out there that actually protects code from getting stolen, manipulated and tampered with. So this is why it was a key part in our journey. And I completely agree with what you said. Shifting gears here, I wanted to pick your brain and ask why do you think visibility is such a central part of code security?
Roland Cloutier:
Yeah, I have this conversation with my peers in the industry all the time. And we talk about, well, how much code can you see? Do you know where your code sits? Do you know what code bases are in production? Unfortunately, just the way that organizations grow up, there’s often a diversity in the type of code and where code’s located and who has manageability and operational oversight over those code bases. But if you want to look at the code, if you want to understand who’s checking in code, if you want to understand consistently across your organization where you have a specific problem in code or vulnerability and/or quality issue, if you can’t see it, if you’re missing even a small component, you can’t validate and verify for your business that they are secure. You have to have transparency.
Everything you do starts at your ability to see it, then you can defend it, then you can measure it, then you can accelerate it. But it all starts with transparency. If you start an AppSec, DevSec, CodeSec program without being able to actually integrate into the code repos, it’s a huge problem. And so one of the things that I often encourage people to do in this line of business is start with getting tools in place that allow you to see each one of your diverse code repositories, whether they’re inside your environment or in partner ecosystems, you have to get that transparency.
Lior Levy:
So Roland, what role does an ASPM play in solving some of the visibility challenges that we see out there?
Roland Cloutier:
Well, Lior, I think there’s two parts to this. There’s an operational part and then there’s a context-driven part to that answer. And the first is operations. It’s pretty simple. When you have an ASPM that can provide you visibility, locations, understanding of where code is, how is it stored, who has access to it, how it’s managed, what it’s assigned to, that gives a centralized location or a code defense operating team to be able to work on a single tool to get these things done faster and protect those code repos much faster. It also gives them the ability to add in contextual tools from other technologies that are going to help.
And that’s really the second part to this answer is if you’re just looking at code and not looking at adjacent technologies, infrastructures and the totality of the risk is associated with code in your environment, you’re not looking at anything, you’re simply going to dump a bunch of output from tools and scanners and what have you onto your customers and that’s no good for them. So having an understanding of the context of the environment, the criticality of certain issues, how pervasive they are within your development environments and the ability to risk prioritize, ASPMs that can collect that information and provide you contextual risk stacking is critically important because you are going to solve bad problems faster and your internal customers are going to be much happier because you’re giving them the information they need to understand the problems that they actually have to solve for.
Lior Levy:
And as part of the complete ASPM approach, do you think that there are any additional key components that a complete and robust ASPM needs to have?
Roland Cloutier:
Obviously, they have to have the ability to identify key aspects of your development environment. They have to be able to do pipeline security and validation in flow. I think it’s important to be able to do insertion, controls insertion, in the pipeline and do it at speed. I think there’s an understanding of what posture management is across the entirety of your development stack and your pipeline. So know where your controls are operating, know where they aren’t. I’ve mentioned risk. I think if you’re going to be a complete ASPM, you have to provide risk context. And I think the final one from kind of my point of view is there has to be the use of proprietary scanners that help get through the dump of things that are hard to understand that are tunable specific for the operating environment that you are. All dev businesses use different coding principles and practices, they have different product sets. And so being able to tune your tools appropriately to get the right information out faster with context, again, super important.
Lior Levy:
And you’ve mentioned proprietary scanners and also pipeline security as part of a complete ASPM, from our conversations, we see that many security leaders view pipeline security as one of the biggest blind spot that you see in AppSec. Why do you think issues like issues like out-coded secrets are so persistent and so hard to solve for?
Roland Cloutier:
Well, because you’re not in stream in the pipeline, right? You’re doing post-compile code analysis. If you’re not in pipeline and you’re not managing a time of coding, you’re deeper, they have a way to obscure so many lines of code. And depending what you’re testing, you may not get the context or understanding if that should be in there or not. So you have to put it in pipeline, which is one of the biggest areas. That’s why people say, “Pipeline’s my blind spot because I can’t see what’s going in completed. I can see it only post-compile or post-development.” And when you’re in pipeline, you’re watching it as it happened and you’re able to stop the things that we all know cause major disasters in organizations.
Lior Levy:
And you touched on proprietary scanners just before. In your mind, what do you think is the role of proprietary scanners as part of your ASPM beyond open source scanning tools that lots of ASPM out there offer?
Roland Cloutier:
Lior, like I mentioned, I think open source scanners are fine depending what you’re doing, but purpose-built scanners typically have the ability to do deeper analysis of downstream root cause, downstream impact to an organization, clearer information and is tunable to the type of technology and the environment that you’re in. And so what does all that mean? It means you get less false positives. It means you’re not providing a dump of a lot of stuff that people have to go through, not only your internal customers, but your own code security teams and application development security teams. They have to take that information.
And when they’re going through non-context aware, open source scanning that doesn’t necessarily understand the environment, it adds so much time to be able to reduce that to a consumable level back to the organization that has to address the problems. So I think that’s one of the biggest things I think that’s important to me. And if an ASPM does it right and they can integrate proprietary scanning technologies with their risk information as well as the integration of other assets from the technology ecosystem of the business, it is a home run because you’re getting information like is this really a problem? Do we have this in other parts of our infrastructure? And so you can prioritize and deprioritize as necessary based on an integrated proprietary scanner within platform.
Lior Levy:
Yeah. And I wanted to shift gears and talk a bit about operations. And in your mind, how can ASPM bridge the gap between the security requirements and the day-to-day work of engineering and development teams?
Roland Cloutier:
Well, my hope for ASPM is that it does the bridging, that we’re providing an automated capability within the infrastructure that the engineering teams operate in. It’s not a separate tool set. We’re we’re connected into their pipelines, we’re connected into their tools, we’re collecting and analyzing information coming from the same tools they use. And it can be heterogeneous, it doesn’t really matter. But that’s the bridge. The bridge is being able to get to them where they work, get to them as they are working and provide them contextual information, quality issues within the tools they operate in. When you can do that, you’ve met them.
Lior Levy:
And just a final question for today, what advice would you give to security leaders and CISOs that are looking to prioritize application security posture management as part of their program?
Roland Cloutier:
Well, first of all, treat it like a business plan. Why are you doing it? What is the criticality to your organization? Get the business to understand why ASPM is going to help drive their business faster. It is not just about the security risk and privacy issues associated with poor quality code, it’s about your business’s ability to charge head force into the market knowing that their code is secure and that their business is resilient. That’s probably number one.
Number two is select a platform that integrates tools from the totality of your environment. If you pick a tool and they say, “Well, you can only use our tools,” what good is that? You can’t crawl, walk, run into this environment, you have to crawl. And at the end of the day, you can’t displace a hundred percent of your tools and change your engineering environment overnight. This is a joint process by which you walk a path with your partners in AppSec and development. So pick a platform that will integrate and introduce the ability to participate in your total development and security ecosystem.
And fourth, I would say start a great education process and allow access to those tool sets from your executive partners and operational code leaders. And don’t make it a security tool, make it a development quality tool that you’re supporting and driving. And give them some ownership in not just the tech, but in the process and how it’s used within their environments. I think that’ll be a good start for you to start your own ASPM program.
Lior Levy:
That’s an excellent insight. Well, we have to wrap up there, but Roland, thank you so much for everything you shared with us today. You brought such an important perspective to the discussion, unique perspective on building code resilience with ASPM approach. I’m sure the audience has so much to learn from you today. I’m handing back to Shawna, who will be sharing our final summary and all of the highlights from today’s sessions. Thanks, everyone.