Enter 2024 – the year in which we’ll discuss security a lot.

Two major EU regulations are at our doors. DORA will become enforceable on January 17th, 2025, and NIS2 even earlier, at the end of 2024. Both regulations prescribe a considerable number of measures organizations need to take with NIS2 upping the ante with intimidating penalties if they don’t.

Sticks never worked as well as carrots. Therefore, organizations must understand why they should invest in their security practices. Some of the most notable security breaches, such as SolarWinds, Log4Shell, and others, enabled remote attackers to gain system control. In a world where data is the new oil, that means the possibility of stealing tons of personal, financial, and other data. Such situations could tear any company down. And many of them can be mitigated by applying sound security practices.

I won’t go into dissecting and explaining the legal stuff of DORA; there are far too many blog posts doing a better job at that. Instead, I’ll summarize the core intention of the act and go deeper into practical ways CROZ helps client organizations.

🚨 Join us at our next Trailblazers meetup at CROZ on April 18th where we’ll discuss the practical ways of implementing DORA. Yes, we’ll focus on the real actionable engineering stuff! Register here.

In a nutshell, DORA recognizes five major areas in which organizations should look for improvements:

1. 1. ICT risk management and governance – what can organizations do to mitigate security risks proactively and honestly say they did all that was in their power to prevent security incidents
2. 2. Incident reporting and management – if security incidents happen, what can organizations do to detect them as soon as possible and notify the regulator
3. 3. Operational resilience testing – how can organizations test their systems against possible threats
4. 4. Management of ICT third-party risk – in the modern economy, organizations rely on each other and must be intentional about handling risk that such collaboration can introduce
5. 5. Information and Intelligence Sharing

Let’s dive deeper into the first area – ICT risk management and governance.

It all starts with recognizing what could go wrong and preparing the organization for such scenarios. Preparation begins with education. Every modern organization is a tech organization today, with software systems at its core. As much as organizations discuss software architecture, design patterns, scalability, and similar software aspects, they rarely discuss security. It is often an afterthought, particularly if organizations are building internal systems. In such cases, security is even less considered for assuming that sole users will be benevolent employees and the system itself will be secured from the outside by infrastructure solutions on the organization’s perimeter. In reality, not all employees are benevolent, just like no infrastructure solution can protect against all malevolent attack vectors.

Security must be built on all levels, starting with the application layer. Poorly designed and implemented applications can help attackers gain control and trick them into exporting and manipulating data. Not handling authorizations properly, not sanitizing inputs and exposing more data than necessary increase the attack surface. Fortunately, OWASP annually provides a list of common application vulnerabilities. Although a public list, it’s not always top of mind and it’s not easy to implement these practices and scale them across the organization.

Education is crucial here to introduce sound secure coding practices on an organizational level.

DORA recognizes the importance of education in its Article 13 paragraphs 6 and 7:

Courses on secure coding directly address application vulnerabilities and establish common secure coding standards across the organization. Addressing application vulnerabilities early in the software development process, as early as in the design phase, eliminates most vulnerabilities.

As the famous Law of Holes says, if you find yourself in a hole, stop digging. Or, applied to software security, if you find yourself with many application vulnerabilities to solve, the first step is to stop producing them further by addressing the root cause and preventing recurrences. And the best way to do so is to educate your teams on how to avoid them in the first place. Secure coding education typically covers proven security design patterns and good practices for managing the software supply chain.

CROZ experts can help you deliver secure coding education. Education is necessary but not always enough to introduce new secure coding practices. In such cases, we at CROZ use the concept of Enabling Teams to help organizations build their internal capabilities. Our experts work with client teams to pick up on secure coding practices and incorporate them into their daily work. That way, client teams are provided with more than just a theory – our Enabling Teams provide practical support while client teams change their ways of working.

As important as education is, it can never be the single line of defense. Organizations should invest in establishing and automating security controls in their software delivery pipelines. Such controls oversee the delivery process and detect possible non-compliance with established security policies.

Implementing CD pipelines with automated security controls is an excellent second-line defense for detecting and preventing vulnerabilities from reaching the production environment. A stable and reliable CD pipeline is the basis for every successful product development. Such a pipeline instills confidence that the correct source code will end up in the right environment, that possible vulnerabilities will be detected, and all housekeeping work will be done. A reliable CD pipeline is like playing good defense in any sport – it gives you more freedom in offense to take your game to the next level, knowing that if you overdo it, there will be a safety net watching after you.

On the other hand, not having a reliable CD pipeline leads to reluctance to push changes to production, even the critical patches! Ongoing State of DevOps Report research used scientific methods to prove a strong correlation between batching changes and low organizational performance.

Designing reliable CD pipelines focusing on security aspects and providing support for their implementation is a job for a Platform Team. Sometimes, the Platform Team exists in the client organization, but more often than not, it doesn’t. In such cases, CROZ experts introduce the concept of a platform and its importance in modern organizations. Furthermore, they help build the Platform Team by becoming a part of it to jump-start delivering value to the rest of the organization. Very often, the Platform Team initially doubles as an Enabling Team, helping other teams use the platform correctly.

Our experience in building CROZ Platform Team is documented here as an official Team Topologies case study.

The third line of defense is introducing a continuous improvement mindset. New attack vectors will emerge and new application vulnerabilities will inevitably slip through automated security checks. When that happens, organizations need to have processes in place to improve their educational efforts and implement new security checks to prevent that particular vulnerability’s next occurrence. Mechanism such as Communities of Practice help disseminate new information through the organization and keep the educational program up to date.

A continuous improvement mindset is not always natural to many organizations. Necessary organizational structures are often missing, and, contained within their silos, people are not used to looking broadly and thinking holistically. Therefore, CROZ experts provide support in the organizational transformation to stop looking at the organization as a set of silos and start looking at it in terms of value streams – highway lanes on which people of all functions collaborate to deliver value to clients by building meaningful products.

(1) Education, (2) automated controls based on security policies and (3) continuous improvement form the basis for sound risk management and governance. Putting all three pieces of the puzzle together communicates a strong dedication to preventing current and future vulnerabilities as a part of ICT risk management and governance processes.