On February 26, 2024, the National Institute of Standards and Technology (NIST) released an update to the Cyber Security Framework (CSF), introducing several changes, including implications for security by design and secure SDLC.

Application security has become increasingly important in recent years due to the rise in cyber-attacks and data breaches. Governments in both Canada and the US have recognized the need for increased scrutiny over application integrity and have introduced regulations and guidelines to ensure the security of sensitive data.

In the US, the National Institute of Standards and Technology (NIST) released an update to the Cyber Security Framework (CSF) in 2024, introducing several changes, including implications for security by design and secure SDLC.

One of the most significant changes in NIST CSF 2.0 is the introduction of the Platform Security category under the “Protect” function. This category specifically references secure software development, stating that “Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.”

CodeEye launched IRIS, in 2019 with the ability to consolidate code security into one platform.  Since then, IRIS has evolved into a Next Gen ASPM Solution.

What is IRIS ASPM? 

From code to production, IRIS detects, correlates, provides risk-based analysis, and prioritizes application security findings for easier interpretation and remediation – all within one platform.  

IRIS has a built-in Risk and Compliance Module that provides ongoing performance and risk monitoring of the product development program, addressing the requirements of PR.PS-06 of NIST CSF 2.0. This means that organizations can use IRIS to ensure that their secure software development practices are integrated and monitored throughout the software development life cycle.

IRIS’s Risk and Compliance module supports the implementation and improvement of the NIST Cybersecurity Framework (CSF) 2.0 across the software development lifecycle. It provides a comprehensive view of the usage and findings of different scanning modules that correspond to the five core functions of the CSF: Identify, Protect, Detect, Respond, and Recover. It helps stakeholders monitor and compare the performance, risk, and health of the software projects and teams, and supports data-driven decision-making and risk mitigation efforts.

The R&M Dashboard of IRIS aligns with the CSF 2.0 requirements across all 5 functions:

Identify: The dashboard helps identify the assets, systems, and data that are involved in the software development process, and the potential risks and vulnerabilities that may affect them. By visualizing the number of issues found, analysis executed, and findings detected in different project stages (e.g., coding, QA, Production, Docker virtualization), the dashboard provides insights into the overall risk level at each stage.

Protect: The dashboard helps protect the software assets, systems, and data by enabling the use of different scanning modules that can detect and prevent security breaches, such as static code analysis, dynamic code analysis, penetration testing, and vulnerability scanning. The dashboard allows a comparative analysis of the level of usage and effectiveness of each scanning module. This helps identify which modules are being utilized most effectively and which ones may need improvement.

Detect: The dashboard helps detect the occurrence of cybersecurity events by tracking issues detected and analyses executed by each development team. This helps identify potential weak points in teams’ security practices and make informed decisions based on the results. The dashboard also facilitates the timely discovery and reporting of security incidents by providing alerts and notifications.

Respond: The dashboard helps respond to cybersecurity incidents by providing actionable information and guidance on how to address and resolve the issues. The dashboard facilitates risk mitigation efforts by identifying areas where security vulnerabilities are most prevalent, allowing teams to prioritize and address critical issues. The dashboard also supports communication and coordination among stakeholders and teams during the incident response process.

Recover: The dashboard helps recover from cybersecurity incidents by monitoring and comparing the results over time and assessing the impact and effectiveness of the remediation actions. The dashboard helps assess the overall health and security posture of the software development projects and identifies areas for improvement and lessons learned.

With NIST CSF 2.0 bringing a renewed focus on secure software development, CodeEye’s Risk IRIS Next Gen ASPM provides a solution for organizations to efficiently meet the requirements of the new framework. 

For more information on CodeEye’s Risk and Compliance Module, contact us for a demo

About CodeEye Solutions

CodeEye Solutions is a leading Canadian provider of cutting-edge Application Security Audit / Offensive Testing and Application Posture Management Services, empowering organizations to safeguard their digital assets against evolving cyber threats. With a comprehensive suite of solutions, including IRIS, an all-in-one Managed Application Security Platform focused on maturing the needs of the SMB Market, we offer unparalleled protection for high-growth businesses with limited security resources and tireless development teams. 

CodeEye Solutions is the Ontario Government Vendor of Record for IT Security Products and Services. Our expertise is application security, from the foundation to the product, coupled with expert guidance and support, to ensure that our clients can detect and mitigate security risks, improve code quality, foster collaboration between teams, and ensure compliance with regulatory requirements. For more information on CodeEye please visit www.codeeyesolutions.com.