#RSAC: The Rise of the Chief Product Security Officer

There are a number of common executive cybersecurity roles today, including chief security officer (CSO) and chief information security officer (CISO), and now it's time to add one more – the chief product security officer (CPSO).

In a session on May 20 at the 2021 RSA Conference, Chris Wysopal, founder and CTO at Veracode, and Joshua Corman, chief strategist for the healthcare sector at CISA, outlined why it's time for organizations to have a chief product security officer (CPSO).

"Software trustworthiness, or rather the lack of trustworthiness, is at the forefront of everyone's mind right now," Corman said.

Corman noted that software development practices really haven't properly considered the consequences of having an insecure development model. For example, during the presentation he pulled up a quote attributed to Reid Hoffman, founder of LinkedIn  –  If you're not embarrassed by the first version of your product, you've launched too late.  Corman emphasized that no physical engineer would say the same thing about a building or a bridge, where failure would result in the loss of life and property.

"We've learned through high-consequence failures in physical engineering," Corman said. "I'm hoping we will find our footing for what it's going to take for digital infrastructure, because as the world increasingly depends on that digital infrastructure, they increasingly are depending on you."

The idea is we need this new individual to do something that spans many different many different departments nowChris Wysopal

Enter the Chief Product Security Officer

Having an executive that is dedicated to product security is an important step to help improve security outcomes.

Wysopal explained that a CSO or CISO is typically concerned with an organization's overall security, regulatory compliance and protecting a business's brand. In Wysopal's view, the kind of software that is being developed today is actually adding a lot more risk to the world, and there is a clear and present need to take steps to reduce that risk.

"The idea is we need this new individual to do something that spans many different many different departments now," Wysopal said.

Wysopal said that the role of chief product security officer spans engineering, compliance, supplier management and information risk. He added that it's also important to have both a developer and enterprise risk management view of software security.

"If you're going to be the CPSO you have to go in both directions, you have to engage with the individual developer, and get that individual developer to find and fix the vulnerabilities in the code," Wysopal said. "But on the other hand, you need to look at the bigger picture."

That bigger picture involves understanding the potential impact of an application or product vulnerability.  There is also a need to understand that the attack surface for applications has grown significantly in recent years. Wysopal said that with ubiquitous connectivity and public-facing APIs, there are more opportunities for attackers to find vulnerabilities and exploit an application.

Securing Products with Cloud Native Development Approaches

In the application development space, developers in recent years having been making use of cloud native development approaches that can actually aid prospective chief product security officers.

Wysopal said that technologies such as containers and infrastructure-as-code approaches can narrowly define how a specific component of an application should be deployed in a repeatable manner. By reducing the attack surface and defining application deployments as code, Wysopal said that it's possible to deploy faster and actually build a more secure product.

"We can start to take our security tooling that used to be disparate processes, that sometimes were manual, and actually just make them another developer tool that's part of the process," Wysopal said.

Corman advised that prospective chief product security officers should also take advantage of threat modeling to help reduce risk.

"Instead of using buzzwords and marketing terms like zero trust, actually start implementing some of the ideas behind them, like least privilege and trust boundaries," Corman said.

What’s Hot on Infosecurity Magazine?