Thinking security: RSA Conference 2019
This is a special blog about the RSA 2019 Conference.
IT security professionals recently convened in San Francisco at RSA Conference 2019 – the world’s largest security conference. People and organizations from 28 countries worldwide and 33 of the 50 United States came to the Moscone Convention Center for a week of talking security. The stated theme of the conference was “Better” – to signify that we all have to improve in every aspect of security in order to be more secure than we are today.
In addition to the huge show floor (it was reported at 162,800 square feet), the conference is also about understanding security and how to provide it − understanding the attacks (and attackers), understanding people (usually the weakest link) and understanding products and what they can (and can’t) do. There used to be one single topic in the early RSA conferences, but now that security is so pervasive in every part of our lives, there really isn’t a single one to which the RSA conference can do justice.
Unisys was a Bronze sponsor at this year’s conference and had a booth in Moscone North. Mat Newfield (our Chief Information Security Officer) was also prominent at the conference, speaking to the CISO boot camp, as well as a doing a great presentation with Michelle Beistle (our Chief Privacy Officer) to the CXO track about how to do cybersecurity successfully at scale.
My primary goal in attending the RSA conference was to understand the area of DevSecOps better and see what other practitioners and companies are doing in this area. DevSecOps (the embedding of security into the fast paced Agile DevOps process) was more popular this year – more sessions and presenters giving case studies on where they have been in DevSecOps and where they are going. Those sessions focused on a holistic view of the business and the people that make it up – using education, automation and awareness to help transform the way that the business works.
Metrics is one of the more immature areas of DevSecOps in which I was trying to understand what other companies do. Specifically, how do you measure security? Metrics are a little easier to quantify for IT security in general. For example, if your corporate goal is to have every machine or asset patched within 72 hours of a fix being available, then you can track how good your security is with regard to how many systems satisfy this goal. But does that make you secure? Metrics in DevSecOps security are still hard to define – how can you quantify that you’re secure? What about vulnerabilities that you don’t yet know about?
This is why the architecture of ClearPath Forward® is so important. As shown in the U.S. National Institute of Standards and Technology (NIST) National Vulnerability Database chart, ClearPath® clients are secure because of the absolutely rock-solid architecture compared to commodity platforms.
ClearPath Forward security aside, security metrics are even more immature when you talk about code that you develop. How do you know that you are developing secure code? How do you establish a goal? We can certainly track findings, whether they are in vulnerabilities found per thousand lines of code (VKLOC), static code analysis coverage in percent (%), number of assets scanned per week, but those are really about due diligence. They don’t really quantify how secure the code is, but how it isn’t.
Part of the problem is that developing secure code comes down how you THINK about secure code. It starts with the architecture and then the process that’s put in place to ensure that the code has been architected, designed, built, verified and deployed in the most secure fashion. It’s also about how it’s kept up to date, both in what has been found and constant validation and monitoring. Developing secure code is a mindset that the developers at Unisys use every day. It’s how they THINK.
The RSA Conference is a great conference for developing the security mindset because it enables everyone – developers, auditors, providers and users – to THINK security.