Live From RSAC: AppSec’s Future and the Rise of the Chief Product Security Officer

Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec’s future and the need for a new Chief Product Security Officer (CPSO) role.

Wysopal started by quoting entrepreneur Marc Andreessen saying, “Software is eating the world,” to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators … software is everywhere.

If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, “There’s not just more software. There are different kinds of software.”

And this software that’s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it’s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.

And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.

And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It’s great to build applications quickly, but it changes the way you have to think about security and supply chain.

That’s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company’s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments – like engineering, compliance, supplier management, and information risk – and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.

Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger’s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches – like SolarWinds and Microsoft Exchange – are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.

For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, daily.