Software Industry Receives Security Caution from JPMorgan Chase's Chief Information Security Officer
In the wake of a series of high-profile cybersecurity incidents, Patrick Opet, the global Chief Information Security Officer (CISO) at JPMorgan Chase, has written an open letter calling for the software industry to prioritize secure development practices over speed to market. The letter was penned on the eve of the annual RSAC Conference in San Francisco, where more than 45,000 members of the cybersecurity industry are scheduled to discuss pressing issues like software security.
Opet's call to action comes in the aftermath of a third-party software issue that impacted more than 451,800 people at JPMorgan Chase, allowing three employees to see certain records of retirement plan participants. Additionally, the financial giant faced trading disruptions due to a July 2024 international IT outage caused by a faulty CrowdStrike software upgrade, according to Bloomberg.
Threat actors are increasingly targeting third-party technology providers, making global companies increasingly reliant on a small number of software-as-a-service providers vulnerable to hacks or disruptions. Opet warned that software needs to be secure by default due to increasing supply-chain disruptions weakening the global economic system.
In his letter, Opet advocated for improved security standards and more transparency in how suppliers use privileged access. He also called for a collective effort by the software industry to work together on various fronts regarding software security. Opet's call echoes a recent plea from former Cybersecurity and Infrastructure Security Agency director Jen Easterly for the software industry to embrace secure-by-design principles.
To address these concerns, senior information security executives recommend a multifaceted approach to secure software development. This approach aims to reduce supply-chain disruptions and enhance cybersecurity. Key recommendations include:
1. **Secure Coding Practices and Standards**: Implement rigorous input validation, secure authentication and authorization mechanisms, proper error handling, secure data storage, and maintain secure coding standards that evolve with emerging threats and technologies.
2. **Adopting Memory Safe Languages (MSLs)**: Leverage memory safe languages to provide proactive security by design, including compile-time and runtime safety checks to prevent memory corruption and invalid states.
3. **Fostering a Security-First Culture within DevSecOps**: Integrate security into DevOps workflows (DevSecOps) to enable collaboration among development, security, and operations teams. Promote a culture that prioritizes security through regular training, awareness programs, and a mindset that security is integral—not optional—to software development.
4. **Managing Security Risks Proactively**: Develop clear, simple security guidelines, conduct frequent security testing and vulnerability assessments, and use up-to-date tools and technologies to defend against evolving threats and supply-chain vulnerabilities.
By integrating these practices, the industry aims to build resilience against cyberattacks and supply-chain risks, reducing the attack surface and enhancing operational continuity in software development and deployment. This holistic approach not only strengthens cybersecurity posture but also addresses regulatory compliance and long-term cost efficiency.
Opet also suggested that technologies like confidential computing could reduce risks when suppliers use sensitive information. He cited an example of China-linked espionage group Silk Typhoon targeting remote-access tools and cloud applications. Modern identity protocols like OAuth create direct connections between third-party services and sensitive internal resources at companies, making it easier for attackers to gain access to confidential data or internal communications, according to Opet.
Brian Fox, co-founder and CTO at Sonatype, supports Opet's call for improved software security measures. Software security leaders welcomed Opet's letter, but some argued for even tougher measures, including potential legal liability.
As the cybersecurity landscape continues to evolve, the software industry must adapt and prioritize security to protect against increasingly sophisticated threats and maintain operational continuity.
Cybersecurity is a pressing issue that needs immediate attention, as evidenced by the recent high-profile cybersecurity incidents. In his open letter, Patrick Opet, the global CISO at JPMorgan Chase, emphasized the need for the software industry to prioritize secure development practices over speed to market to enhance privacy and cybersecurity. Moreover, Opet advocated for a collective effort by the software industry to work together on various fronts to improve software security, leveraging technologies like confidential computing and modern identity protocols to reduce risks.
