Key Take Aways from RSA 2024
The impact of the 2024 RSA Conference on security in San Francisco was beyond expectations. It was really a fantastic opportunity to meet an amazing group of individuals from all stages of the software supply chain from CISOs to researchers to development and security teams. Our discussions reflected the key challenges facing software security professionals with particular emphasis on:
- The hype vs the reality of AI
- Integration of development and security
- CISO work-life balance
- Software compliance requirements
- The move to security platforms
The hype vs the reality of AI
The most popular theme was AI, to the point where it became a running joke due to its frequent mention. However, the definition of AI seems to be leveraged more as a marketing term rather than a tool to help describe how it could be leveraged to help respond to and prevent security problems. I do believe that we are moving past the initial hype cycle into a more realistic world where we understand how to use AI and at the same time are aware of the new challenges, risks and surprises that it presents.
Techstrong TV discusses the benefits of taking a systematic approach to DevSecOps with JFrog Field CISO Paul Davis from the floor of the RSA Conference 2024 in San Francisco.
Integration of development and security
Another key takeaway was the renewed focus on DevSecOps within the realm of IT security. While vulnerabilities and application attacks have always been a concern, there’s now a heightened understanding of the need for active IT security integration within an organization’s development frameworks. Not just the periodic scanning of source code, but the need for a full program that integrates and enables software development to be more secure and effective.
Integrating developers and security teams, without requiring them to work within each other’s tools was a major topic, with emphasis on ensuring that security knowledge and guidance be integrated directly into the development environment. Likewise, from a security perspective, IT security professionals are not interested in monitoring yet another work or ticket queue, but prefer that new data points be displayed within their existing dashboards and alert interfaces.
CISO work-life balance
Another significant topic was the work-life balance of CISOs, as they seem to be questioning their roles, or driving for a clearer definition of their role from their executive management/ boards, and reviewing their career paths. While this is not a new development, it is nonetheless a serious issue that needs to be addressed. It is critical for organizations to continue having a trusted voice that is solely focused on security. In fact, having a CISO type security expert is now being mandated by various regulatory boards including the SEC.
The industry cannot afford to lose experienced and dedicated security professionals. Their balanced perspective on IT, business and security risks and acting as a trusted advisor on these matters, is crucial for business success. So perhaps it is time to reconsider the expectations we have from security officers and redefine their roles and responsibilities. To this end, many CISOs are now taking out personal liability insurance, while Gartner suggests that 25% of CISOs may change jobs within the next year, and some may even leave the security field altogether due to high stress levels and insufficient compensation.
Software compliance requirements
Compliance was another recurring theme. The increasing demands in compliance regulations call for greater accountability in how we develop, test, and secure the software we deliver, as well as how to document those procedures for regulatory authorities. Compliance with these emerging frameworks requires multidisciplinary participation of developers, DevOps and security in all the stages of the software development process.
If you have not started putting compliance processes in place, then please do yourself a favor and get started ASAP. If you understand the critical importance of meeting these standards and are already in the process of implementing a solution, then keep going at full speed. The standards proposed by these frameworks are quickly becoming a reality, as reflected in initiatives such as the White House’s recent Executive Order, the EU’s AI Act, and the heightened importance of generating an authorized Software Bill of Materials (SBOM) to meet NIST and SALSA software security requirements.
The move to security platforms
The need for platforms was also highlighted. The consensus is that we need to move away from point solutions towards having a single platform that combines all the tools necessary to provide a seamless mechanism for tracing and attesting to every step of the development process, from the beginning of the design phase through to production and on to runtime. It’s become clear that a unified solution providing immutable traceability across the entire lifecycle is required, and some leading vendors are rising to the challenge.
Executives are also feeding demand for platform solutions as they strive to streamline software production, with the goal of lowering costs by reducing complexity and the overhead of having disparate tools provided by multiple vendors. While they are concerned with tool proliferation at every stage of development, security leaders, who are naturally cautious, want to ensure no gaps exist that could expose weaknesses and increase business risk.
At the same time, it makes sense that each team should select the tool sets that enable them to achieve their goals and match their work styles. I believe that the best way to achieve these goals is by adopting two basic principles:
- Assess all the tools used throughout the software development process, including not just all the major steps such as coding, building, and deploying, but also the control gates that guide a software component through each stage of deployment. I have included a snapshot of the tool that I use to assist our customers. It is a simple but clear approach that many of our customers are using as a foundational component to document and give them insight into all the tools that are used to build and run software.
- Start leveraging a platform approach that allows you to integrate all the tools your teams require into a unified ecosystem where all your software artifacts represent a single source of truth and are accessible through a single platform. This does not preclude having multiple tools, at each stage, but it does drive the need, and the discipline, to start integrating all your tools and controls into a more streamlined and cost efficient model.
Using this approach provides a 360-degree view of the entire risk posture associated with your software components and supports a multitude of use cases from audit, to security response, without degrading from the speed of development and frequency of releases. There is another step in the process, but I am going to hold back on that, just to confirm that the signals I’m seeing validate this next phase of evolution. As they say, “Watch this space for further developments”.
These were the primary themes I observed at RSA. Although it was quite exhausting in a good way, I certainly found it rewarding and look forward to seeing everyone next year to stay on top of what is happening in our industry.
To see how the JFrog Platform can help protect your software supply chain, take a tour, schedule a demo or start a free trial today.