Security Starts from the Code
The month of May is an important month for companies operating in Europe. The General Data Protection Regulation (GDPR) kicks in and every company needs to comply to one of the most important changes in data privacy regulation in 20 years.
Last year, as part of the Innovation Exchange activities in Italy, we got to know Swascan and awarded them with a special prize within the Premio Marzotto. This startup has a compelling solution that will help small and larger companies quickly assess important parts of their security posture.
Digitizing enterprises is all about connecting data to applications and applications to users. Frequently this is done through complex ecosystems representing a de facto in supply chain, where the weakest link can impact the largest companies. Supply chain attacks appear to be increasing in velocity and complexity. They can impact computers on a massive scale, and can persist for months or even years, as it is described in the Cisco 2018 Cybersecurity report.
Automation is key to identify in an easy way, vulnerabilities in the source code of applications and in running applications. This is why we have started to leverage Swascan in Italy to increase the level of awareness in complex supply chains. In the Cybersecurity report it shows how 90% of the organizations expect attacks both in IT and OT environments in the near future and that the average cost of breaches is relevant: more than half (53%) of all attacks resulted in financial damages of more than $500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs.
Leveraging startups like Swascan is interesting as they are addressing the pain of reducing the frictions to get a basic assessment done-this is particularly useful in complex supply chains. Swascan is developing a service that allows companies to immediately detect, analyze, and solve vulnerabilities through a preventive analysis of the system. It is a very unique platform that makes it possible to execute these kind of tests using just one single tool whereby companies can run several scans and automatic assessments:
- Vulnerability Assessment: scan for vulnerabilities of websites and web applications
- Network scan: scan for vulnerabilities of networks (anything associable to an IP address, such as routers, workstations, servers, …)
- Code Review: scan for vulnerabilities of source code of applications
In addition, with the same platform companies can also test their compliance level in terms of GDPR. Swascan is a unified suite that assures Business Security Governance and GDPR compliance. The team is also leveraging the expertise of Raoul Chiesa, an expert in Cybersecurity and Ethical Hacking.
“There is a never ending evolution as far as the skills of the attackers are concerned; the same level of evolution must develop in terms of Preventive, Proactive and Predictive Security in order to successfully face these challenges.
By 2021 cybercrime will represent a $6 trillion cost on a yearly basis, 50% more comparing to 2015. This is going to be a massive change, probably the biggest one in terms of economic wealth distribution and as a matter of fact cybercrime will outdo several illegal trades in terms of profitability. “Hard impacts” will affect our life, both in a virtual and physical way, they will affect our habits and social aspects. This year will register an increase as far as attacks that exploit devices’ vulnerabilities are concerned. These kinds of attack are commonly called “Hardware hacking” and, as previously said, they do not exploit programs’ vulnerabilities but devices’ ones. These are the new generation weak spots and there will be a growing need to face these criticalities from the point of view of the producers of connected devices – the so called Internet of Things.”
Raoul moves forward saying that: “The efforts of the attackers are more likely to focus on financial institutions and e-wallets since Cryptocurrencies are on the rise.” Moreover, Raoul predicts that: “there will be a significate increase as far as attacks to critical infrastructures and industrial systems are concerned. These attacks have a specific goal: blackmail – without excluding cyberterrorism scenarios. In addition, there are more potential targets that need to be considered, such as: the health sector (the data of the patients are a sensitive target as well as the manipulation of medical devices), tourism (both for documents and credit cards) and the ‘mobile’ sector (the evolution in this specific field could lead to the resale to a large audience of ‘spyware’ programs at a very low price that spy all of the smartphone activities of a user).”
In this new scenery there is the need to create a new Cybersecurity Framework based on:
- Preventive Security
- Proactive Security
- Predictive Security
In this framework, Swascan represents the solution for Preventive Security that integrates with Proactive Security solutions like Umbrella and with Predictive Security solutions like Cisco Amp Grid.
An integration model that allows to increase the security levels of your company through the following processes:
- Common Knowledge Base
- Security Alert
- KPI Analytics
And at the same time allows to decrease reactive security activities that represent the real costs of security.
In the Digital transformation and Hyperconvergence era, it is necessary to re-think and create a new corporate security paradigm through security open innovation models.
Concluding, through the innovation activities to accelerate Digital transformation we are forming new complex agile supply chains. This requires a very structured approach in preventing vulnerabilities. This is why the need of companies leveraging Machine Learning and Automation to increase the awareness about vulnerability with very low friction, is needed.
About the authors: Enrico Mercadante is leader of Cisco’s Innovation, Architecture & Digital Transformation team in Italy and Pierguido Iezzi Co-Founder, Swascan