With major cyber attacks on critical infrastructure such as the SolarWinds attack, the Florida’s water treatment facility hack, and the US East Coast’s Colonial Pipeline ransomware crisis, the security of products — and not just information systems — really need to be taken more seriously, argues Chris Wysopal, founder and CTO of code scanning company Veracode.
While the CISO protects information in the enterprise, Wysopal is arguing this week at the RSA 2021 conference that products need an equivalent level of attention to enterprise information systems. His call for greater focus on product security comes as supply chain attacks are on the rise and governments across the world attempt to grapple with the problem of products that have been tampered with enter an organization.
“Products are different. Products leave the enterprise. Think of Tesla’s product security. It’s the car. You could think of a medical device company, but even in more information-oriented companies, it’s an app, it’s a standalone website and they’re starting to become outside of the enterprise. They have a life of their own,” Wysopal tells ZDNet.
Wysopal is notable figure in the cybersecurity scene, and was one of the original vulnerability researchers and one of seven member of the L0pht ‘hacker think tank’ who told the US Senate in 1998 that the group could bring down the internet in 30 minutes.
Wysopal reckons products like these need a C-level exec with a better engineering skillset than a CISO typically has — a role more focused on monitoring networks and systems to keep hackers out.
“Historically, a CISO has not been required to build in security in to a piece of software or a device,” he says.
“The traditional CISO doesn’t have that security engineering and product engineering background. They traditionally have grown up through compliance or network security, and they don’t have the understanding of software or code-level vulnerabilities. So you’ll have a lot of times where you have product security not reporting to a CISO, but reporting to the VP of engineering.”
At Veracode, the CISO reports to him as the CTO, while his head of product, which…