Former security chief’s prosecution is a warning to prioritize ethics in AppSec

Back in 2016, a data breach at Uber made the headlines as much for the incident itself as for the revelation that then-CSO Joe Sullivan attempted to hide the breach from the public. Over 57 million users and 600,000 Uber drivers were affected. Earlier this month, Sullivan was prosecuted and subsequently found guilty of obstructing justice and concealing a felony, earning him three years of probation, community service, and a $50,000 fine. How did he get here? During the 2016 incident, he made a series of questionable decisions, including: 

• Not warning individuals that their data had been compromised
• Not telling authorities or regulators about the breach
• Paying the hackers $100K to sign an NDA to ensure that the breach wouldn’t become public
• Disguising that payment as one from Uber’s bug bounty program

All of this begs the question: What could have happened if Sullivan had been upfront instead? On the one hand, acting quickly and transparently can mean spending less on remediation. According to IBM’s Cost of a Data Breach Report, “shortening the time it takes to identify and contain a data breach to 200 days or less can save money,” with the average savings totaling $1.12M. Apart from financial preservation, owning up to the breach earlier and offering full cooperation to investigators could have led to less scrutiny overall and the public forgiving and forgetting – instead of reading about Sullivan’s prosecution six years later. 

Modern organizations should be paying attention to this case. As the attack surface for every company continues to grow at breakneck speed, the potential for similar breaches skyrockets. And if your security response is derailed by ethical considerations, you could make headlines for all the wrong reasons. That’s why security executives must not only ensure their teams are securing the entire attack surface but also have a plan that will be followed no matter what if and when a potential breach occurs. 

AppSec in support of cybersecurity ethics

At the heart of it, ethics is about doing the right thing. As cyberattacks mount, one thing is becoming clear: in cybersecurity, this now means not only transparently reporting breaches but also doing everything you can to prevent incidents in the first place. While having a solid incident response plan for cyberattacks is critical both for compliance and for business continuity, the best crisis plan is always prevention. 

For application security, preventing attacks means investing in robust tools that will enable your organization to perform security testing at every stage of production, development, and deployment. It also means ensuring that there is a strong access management process in place that follows the principle of least privilege so only the minimum necessary authorization is given to the right employees at the right time. By embedding security and security controls throughout the entire software development lifecycle, you increase visibility and tracking, which dramatically lowers your overall risk of a breach. 

Every organization wants to tell its customers and shareholders that security is a top priority. To truly walk that talk in AppSec requires a security program that gives complete visibility into your attack surface, including legacy applications that have been lost, forgotten about, or hidden. Having that catalog of web applications is crucial to reduce your risk of breaches – after all, you can’t defend what you don’t know about. Ensuring that all these apps are tested on a routine basis is also key. What’s safe now isn’t necessarily going to be safe in the future, and malicious hackers are innovating just as fast as modern organizations are. When security becomes continuous, your organization is able to find and fix vulnerabilities in a methodical way, so you can confidently and truthfully say that you’re doing all you can to minimize risk. 

Cybersecurity is about protecting data and businesses, but it’s also about people – their livelihoods, personal information, and well-being. Without preventative measures in place to protect these everyday needs, organizations increase their risk of incidents that can result in irreversible financial damage and lost trust from employees, business partners, shareholders, and (most importantly) customers.

Tips for safeguarding ethics in AppSec

Creating an ethical AppSec program sounds easy enough: just always do the right thing, and it’ll all work out. Some organizations rely on a compliance mindset where they only focus on ticking boxes for basic security checks. But there are guidelines and best practices for application security that will help you maintain trust with your employees and customers while staying out of the news for the wrong reasons – as long as you have the culture in place to make sure nobody cuts corners. 

1. Make sure your organization has a clear chain of command if a data breach occurs, and establish an incident response checklist that covers the basics of identifying assets and compromised apps, notifying the right people, and auditing or modifying access to impacted assets. Everyone should know their roles and responsibilities, and they should be ready and empowered to carry them out at the drop of a hat. 
2. Implement strong authorization policies that enable administrators to set up the right level of access to prevent unauthorized activity, and set up systems for privileged access management (PAM) to more effectively manage control access to critical systems and data. Ensure that access rights for employees and external partners alike are revoked as soon as they aren’t needed.
3. Maintain good records in vulnerability and remediation tracking, and include metrics that provide a clear view of the state of the AppSec program to ensure everyone is accountable for the results. Ensure that you’re truly making headway with remediation. 
4. Establish a holistic plan for approaching vulnerability remediation by severity so that the team knows which issues present the biggest risks and can learn to prevent them in the future with best practices. 
5. Don’t forget that the cybersecurity landscape is constantly changing, and keeping up requires not only the right skills and workflows but also tools that combine accuracy and automation. New vulnerabilities can show their faces long after an application is deployed, so continuous, automated security checks are necessary. 
6. Provide a top-down mandate to make security everyone’s responsibility. Security isn’t on everyone’s mind all the time, so consider building a security champions program and empowering team members to act as a bridge between security gurus and regular employees. Additionally, be open and transparent in the event of a breach, and encourage your teams to freely communicate with you whenever they see security issues arise.

Your entire cybersecurity program should prioritize transparency, honesty, and trustworthiness. If your organization starts burying incidents or hiding risk due to ego or fear of a PR mess or losing share value, you’ve already lost. An old adage puts this concept into perspective: Trust takes years to build, seconds to lose, and forever to repair. The best way to not deal with fixing it is to maintain high ethical standards for yourself, your AppSec program, and your employees in the first place.