Shostack + Friends Blog

 

The Appsec Landscape in 2023

External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you. a fuzzy landscape with people reading a map

2023 brings new challenges and new opportunities for software companies, and all companies are now software companies. Many of those will come from regulation coming into force. This post provides you with context, and then some economic, regulatory, and engineering factors that play into decisions your organization needs to make.

Today, new American regulations are sectoral. Medical device makers have been hearing the FDA increasing pre-market requirements for years in a series of drafts. New rules from OMB are less prominent, but much more impactful to those who want to sell to governments: “Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices.” (OMB-M-22-18.) There are important European regulations like the Digital Markets act, but I’m less familiar with them.

That’s today. Over the next few years, you should expect regulation to cover more software more stringently. Requirements like these often lean on NIST SSDF. Even if they don’t have a line “you must threat model,” because there’s a lot of ways you can threat model, it’s hard to comply if you aren’t threat modeling.

If you’re not asking “what can go wrong” with each feature, and with the design as a whole, how will you attest that you “have been following a risk-based approach for secure software development?” (OMB again.) Threat modeling is the activity that lets us identify those risks.

The roll-out of new regulations like these will, probably, generally, have some grandfather clauses that accepts some fraction of legacy code created before the regulation. And in today’s economic climate, you may want to take a wait and see approach.

Your decisions depends on how you expect the future to unfold, and there’s (at least) three elements which you should consider.

Economic Factors

Disruption is complex. Many companies will invest in lobbyists to argue against rules like those in 22-18. Others will invest in appsec programs and paying down some technical debt. Those are bets on customers caring more, more regulatory requirements, or that an ounce of security prevention is worth a pound of Log4shell CircleCI pain avoidance.

Buyers are starting to treat supply chain as an engineering issue, augmenting their questionnaires with hard questions about how you build products. Like the rest of the future, it’s unevenly distributed. The FDA and many governments are starting to care deeply. Are you at a company or in a sector that’s had “lighthouse events?” Has a key customer had them?

Are your good customers going to drive hard on security improvements?

Regulatory Factors

In my Oct/Nov Appsec Roundup (here) I wrote:

National Cyber Director Chris Inlgis implies that we'll see liability in the next National Cybersecurity Strategy, and Anne Neuberger says "tech providers must make fundamentally secure products, starting at the earliest design phases, at no extra cost to buyers." I expect to see a lot more in this area.

I stand by that, and expect that the techlash is going to get worse, and that the regulations designed to bring big tech into line will get more complex and onerous. SBOM is a part of this, and I expect to see more tools, such as VEX, carried on top of it. We’re also likely to see requirements for architecture diagrams. For example, the FDA’s latest pre-market cyber draft includes:

[Architecture views including]...Detailed diagrams and supporting explanatory text that identify all manufacturer and network assets of the system in which the device will operate, including but not limited to:
  1. Device hardware itself (including assessments for any commercial platforms);
  2. Applications, hardware, and/or other supporting assets that directly interact with the targeted device, such as configuration, installation/upgrade, and data transfer applications;
  3. Health care facility-operated assets;
  4. Communications/networking assets; and
  5. Manufacturer-controlled assets, including any servers that interact with external entities
(Page 37, lines 1392-1405)

Other than changing “health care” to “customer,” that can be adopted by roughly any buyer or industry regulator. There’s an argument to be made that a single, broad law would be less complex or onerous to comply with than a slew of sectoral laws with slight differences. (I know of large companies that employ teams of people whose entire jobs is mapping these compliance regimes to the internal engineering guidance, and producing visibly high quality documentation defending their mappings.)

A Lawfare article Medical Device Security Offers Proving Ground for Cybersecurity Action provides some context, and the title really says a lot: medical is a proving ground. [Update, Jan 9, the author has another article; apparently the omnibus spending bill included medical device updates, “the first time since the Energy Policy Act of 2005 that Congress has expressly authorized any agency to regulate the cybersecurity of privately owned and operated systems of any kind.”]

Are your regulators going to move quickly or slowly?

Engineering Factors

The sorts of products you deliver influence your engineering costs. The more intensely your customers integrate your products, the harder it is to change them. For example, if you sell an operating system, changing the APIs that your customers use imposes costs on them. Microsoft invests in supporting old APIs. It’s expensive, but contributes to Microsoft’s success.

Threat modeling reduces the need for security-driven refactoring, by helping you anticipate problems and design for them. It’s the measure twice, cut once of software. If your dependencies are small, you may get less value from threat modeling.

Similarly, if the data you process is lower-value, you may get less value from threat modeling.

In contrast, if your dependencies are high, your data is valuable, or you need to avoid refactoring or technical debt, more threat modeling may be a good part of your 2023 plans.

How important is reducing re-work in your product engineering?

Going Forward

External forces beyond features will continue to influence product delivery in 2023. Smart executives are examining those forces, engaging with their leadership teams and making plans that take them into account. When I talk to execs, the first things I ask are “what do you hear from your leadership team?” “Are they aware of these changes?”

Credit: Dall-E, “a black and white photo of a landscape with a meandering and forking path, desert on the left and green and lush on the right. businesspeople on the path reading a map”