With hackers getting more creative and new security threats popping up every day, we must be proactive in stopping attacks before they happen. There are many ways to do this, and the one we’re focusing on here is knowledge sharing.
We’re all connected, which means our security efforts are also connected. If hackers find vulnerabilities in one system, chances are they’ll find and exploit them in other systems within the same community.
With data sharing at the core of the cloud software industry, an attack on one system can quickly become an attack on many. When we share knowledge, experiences, and updates about cyber security threats within the wider community, we improve resilience as a whole. We maintain a stronger security programme and help others keep theirs top-notch, as well.
The truth is, the cost of not sharing knowledge can be quite high:
“Cyber crime is on the rise – costing approximately over 1% of Global GDP a year. We see it as an important mission to contribute in education and supporting the general population, our supply chain, our current and potential clients, as well as other stakeholders. We do everything we can to make it harder for criminals to target their victims.”
Espen Johansen, Chief Security Officer at Visma
Here are a few ideas that you can explore within your organisation.
Get academics involved
Collaborating with other people who offer different perspectives is a great first step. And, who better to turn to than academics who are knee-deep in current research and trends?
Over the past year, our security team worked with seven masters students from universities across Europe and South America. Under the guidance of Daniela Cruzes, our Lead Security Researcher, we helped them select an area to study, provided data, and an environment they could experiment in. We guided them through their research process, and asked them to present and validate their results with our colleagues in the following areas:
- Security technical debt
- Threat modelling automation
- Security champions program
- Intelligence for cybercrime prevention
The students gained research experience, and we gained valuable insights about our security programme. As an added bonus, these students get to take their learnings and experience into their careers to help inform a whole new generation of cyber security warriors.
“Collaborating with the great people at Visma always generates fruitful insights on state-of-the-art ways to develop software.”
Antonio Martini, Professor at University of Oslo
If you’re looking for ways to engage students and professors in your cyber security programme, reach out to universities in your local area or network. Chances are they’ll be excited to have access to real-world scenarios.
Set up internal research projects
In addition to external research projects, internal research projects can be a valuable tool for sharing knowledge across your organisation. Bringing engineers and other cyber security experts together to research and experiment will not only boost collaboration but yield other unexpected results, as well.
One of our recent examples of this was a research project driven by Nicoleta Botosan, Security Engineer Manager, and Romina Druta, Senior Infrastructure Engineer. They initiated a new direction of our security programme in regards to Infrastructure as Code (IaC) security. As an up-and-coming field, their findings shined a much-needed spotlight on the importance of cloud security.
As one developer who worked on the project said: “We think it was beneficial for us and in a way made us think more about security vulnerabilities in our IaC to the point where we would gladly implement a tool to handle this for us.”
When thinking about internal research projects, make sure everyone in your cyber security team feels empowered to participate and bring ideas to the table. You might just unlock a whole new direction for your organisation.
Support open source communities
Cyber security teams are constantly looking ahead to know where they should invest. In order to know what’s coming, we need as many professionals as possible sharing tips, ideas, and observations. One of the ways to do this is through the open source community.
There are thousands of developers that are actively working in and building up these knowledge- and resource-sharing communities. Currently, we’re developing and publishing tools with permissive open source licences, educating, and advising developers of new technologies.
Here are a couple of FOSS (free and open-source software) initiatives we have ongoing:
We’ve also authored a project that’s designed to mitigate dependency confusion vulnerabilities. You can check it out and learn more here: visma-prodsec/confused.
When we work together, we’re better prepared to face security challenges head-on. We’ve seen that the fear of the unknown keeps people from taking advantage of innovations – because it requires trust and knowledge. So, by spreading knowledge, we can all do our part to dismantle this fear and move society toward a safer, more resilient future.
