One of the most difficult issues in software development is ensuring that the product being developed is built securely from the start. To do this, development teams must follow established security practices, use tools that meet security requirements, and integrate secure features. If that sounds complex, that’s because it is.
As with all executive orders, the rules apply directly to federal agencies, but in reality, they go further than that. Federal government contractors and companies that develop products, including software for the federal government, are also required to meet EO requirements. NIST, in turn, published his set of best practices for developing compliant software as part of the security software supply chain.
Additionally, many companies are following the federal government’s lead on security, even if they are not contractors. At least it saves them from having to develop their own requirements and also makes it easier to find compliant products. Additionally, by following federal regulations, companies can also generally meet their industry’s safety requirements, so while the regulations may be overkill, they are easily justified.
The problem, however, is finding a way to conform to the requirements during the development process. This is where companies such as Cycode Cycode has developed a software development platform that provides support to meet these requirements as well as connect your development environment to the tools needed to ensure compliance.
“The product is a platform that connects to existing tools used in software development. So basically we connect to the places where you manage the code,” said Lior Levy, CEO and co-founder of Cycode. He said that their software reviews the code and all dependencies to ensure that the whole process is secure.
Levy said that by using their platform to develop secure code and properly use developer tools, “they use our platform to make sure organic security issues are addressed, and also that all management tools and processes is done the right way”. way.”
Levy said users also ensure that their code repositories are properly secured and access to them is properly controlled. “So one of the organization’s concerns with its code repositories is that access to the repository is secure so that only developers who need it have it. Do developers use two-factor authentication to access the platform? What is the activity of the deposit? Is the code reviewed by at least two people before being merged with the production code? »
Levy said the Cycode platform can analyze development code in real time, or developers can send finished code to the platform and have it analyzed. Either way, it will return results and recommendations for any changes to meet security requirements.
The goal is to help companies avoid flaws such as the SolarWinds attack in December 2020. This flaw infected software used by thousands of companies to manage their IT resources, and then impacted those companies. By using Cycode, companies can detect an infection such as this attack and prevent the attack from spreading. Cycode was actually launched about six months before the SolarWinds breach, but the resulting demand provided fertile ground for its growth.
“Software supply chain security is one of the hottest areas of cybersecurity right now,” Levy said.