A cyber-resilient mindset is different from a cybersecurity mindset, although they are complimentary. Cybersecurity has often been an afterthought in System Engineering. It always surprises me to read through diagrams or models and discover not one mention of cybersecurity. Criminals will exploit humans and systems to bring the system to its knees and cause massive revenue loss.
Security in System Engineering has a lot to do with WHO is involved more than vulnerabilities. The most important thing for System Engineering security is in changing the culture to embrace security. No exceptions. Security must be built into the project at the beginning.
Implementing a DevSecOps approach ensures that security, development, and IT Ops teams work toward a joint security goal. ~ Linda Rawson
The People are Not the Process.
DevSecOps is agile in nature, and the people are still involved but not in the same capacity as they were in the Waterfall model. In DevSecOps, the people are not the process: The pipeline, the set of phases and tools that the code follows to reach deployment, defines the process.
The phases include Build, Test, and Deployment and prefer automation over manual methods. Build automation consists of the tools needed to grab the code and compile it. Test executes the automated test cases, while deployment drops the build into its destination. It means using static analysis tools that check the portions of code that have been changed versus scanning the entire code base.
The People Monitor the Process and Respond to Process Failures
Training hardware and software developers regularly on new cyber-attack techniques and exploitation vectors is essential to application solution security. Security and quality assurance policies need to be promulgated among the team to make development standards unambiguous and clear for everyone. Defensive Coding Practices result in more complicated code but writing code while thinking how an attacker might think, reduces vulnerabilities, and therefore reduces risk.
All Levels of Management Must Be Involved
Individuals from government stakeholders, operations, security, and development teams must be encouraged to have a cyber-resilient mindset. If you are proactive and think like a cyber attacker, you would do things differently instead of explaining why an attack occurred. In the case of an extensive enterprise system, why bank accounts were drained, or an airplane hit the ground.
Adopting Cybersecurity Practices
Adopting cybersecurity practices such as continuous integration, continuous delivery, and constant distribution has dramatically accelerated the speed at which organizations release and update applications. Security is no longer something that can be bolted on at the end of the development cycle but must be started by a proactive organization.
#systemengineering #cybersecurity #cybersecurityawareness #DevSecOps #infosec #security #mindset