RSA 2022 recap: Security debt, SBOMs, national security – and Invicti

Invicti Security talking DevSecOps at RSA Conference 2022

Another great RSA is in the books! This past week, we finally had the chance to meet and mingle with fellow security-minded attendees at RSA Conference 2022, and we came away with a whirlwind of conversations, ideas, and industry insights. Invicti had quite the presence – you might’ve spotted unique handmade machines in our booth that guests could scan and fix to win prizes, or seen our logo on wheels taking attendees to and from the conference hall. Maybe you caught our interviews with Security Weekly on harmonizing DevSecOps, too. 

We also presented a session with Ean Meyer, Associate Director of Security Assurance at Marriott Vacations Worldwide. Invicti’s Chief Product Officer Sonali Shah sat down with Ean to chat about why it’s so important to get a handle on your security debt and how you can best use security processes to pay it down. Security debt – a critical part of your overall technical debt – isn’t automatically rife with risk. But if left unchecked, it stifles innovation and hinders your ability to stay nimble as new threats emerge.

In their session, Sonali and Ean discussed how the accumulation of vulnerabilities in your software could stem both from intentional security trade-offs and from insufficient investment in critical security needs. Many organizations have made secure coding best practices and the production of secure applications an objective for their entire organization. Still, some continue to add to their security debt because they lack support from the business. To pay down debt, Sonali and Ean recommend a three-step strategy: defining and triaging risk, integrating and automating continuous security testing, and then making incremental improvements. Ultimately, this helps teams reduce friction, improve communication and collaboration, and boost innovation. 

While a fascinating insight into real-world application security challenges, our session only scratches the surface of the knowledge-sharing from RSA. From national security to open source risk and security champions, speakers and guests covered many more critical elements that can make or break a modern application security strategy. Read on for a subjective selection of insights that also caught our attention at RSA Conference 2022.

Untangling your threat landscape with SBOMs

There was no shortage of sessions at RSA focused on improving visibility and getting a handle on your threat landscape. In addition to web asset discovery, one part of understanding and safely managing your full attack surface is knowing which components you’re using and where. A software bill of materials, or an SBOM, is a crucial part of that puzzle, as it helps teams stay on top of what went into building each piece of software so they can identify gaps in coverage while also maintaining a secure environment with open-source dependencies. 

Covering this topic in a session titled “Tooling up: Getting SBOMs to Scale” were Allan Friedman, Senior Advisor and Strategist at CISA, and Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation. They kicked off their presentation by defining an SBOM as a “...formal record containing the details and supply chain relationships of various components used in building software.” Typically, SBOMs cover the development process, the supply chain, risk management, and vulnerability management, providing a window into every component that might present risk.

Allan and Kate noted that while many agencies are voluntarily implementing SBOMs as part of their security strategies, others are actually forced to do so if they want to remain compliant with President Biden’s executive order on cybersecurity. Where should agencies and organizations start? Allan and Kate recommended trying out an SBOM tool, applying it to an existing code repository, and then working out a formal SBOM strategy within three months. For most organizations, six months should be enough to get an SBOM implementation well underway. 

Cybersecurity is (still) a national imperative

The need for improved coverage and clarity was echoed by one of the keynote sessions at RSA: “Cybersecurity as a National Security Imperative.” The keynote included Jen Easterly, Director of CISA, John “Chris” Inglis, Office of the National Cyber Director, Executive Office of the President, and Robert Joyce, Cybersecurity Director at the NSA. In the keynote, panelists discussed the critical importance of cohesion across agencies for improving coordinated detection and response for emerging security threats. 

Intelligence stovepipes in government still exist where information must remain private, the panelists noted, but having cross-functionality in security that pulls from individual expertise is vital. By sharing knowledge, agencies can break down cybersecurity communication barriers without interfering with their existing information flows. This level of collaboration improves visibility and threat intelligence by playing to diverse cybersecurity strengths across the government and even connecting with other nations facing similar challenges. 

As they continue to build guidelines and best practices to bring the federal government ecosystem together with the private sector, federal cyber coordinators aim to achieve an operational collaboration model for real-time information sharing. That information will trickle down to everyone for a more secure digital infrastructure nationwide and, hopefully, globally. 

Stay tuned for more from RSA Conference 2022

As the dust settles and we reflect on this hectic but exciting week, stand by for next week’s post with more takeaways from crucial keynotes – and first-hand impressions from our team.

And what was your favorite session, activity, or discussion at RSA Conference 2022? Drop us a note on Twitter or LinkedIn to share your experiences!