Announcing the technology preview of Cyberismo solution

by | Oct 21, 2024 | Cyberismo solution, Events

Make a difference in cybersecurity with the Cyberismo solution

Development teams are facing increasing requirements for cybersecurity and compliance to protect their users and stakeholders from more and more serious cybersecurity threats. However, adopting cybersecurity processes and compliance to standards or regulations has turned out to be tedious and hard in practice.

The Cyberismo company was founded to make a difference in this regard. Since the beginning, we have been building a solution to make the adoption of cybersecurity management and compliance easier in digital development. In conjunction with the Open Community Experience 2024 (OCX24) conference in Mainz, Germany in October 22-24, we are ready to announce the open Cyberismo solution.

The solution is currently available as a technology preview. While we’re testing and piloting it with some close friends, we’re also calling for wider feedback on the concept. The solution supports reusable content modules, and in the coming weeks and months, we will be announcing new content modules.

The Cyberismo solution supports automated policy checks.

At OCX24, we’ll discuss the challenges that development teams are facing, and the Cyberismo solution, along with other security-as-code solutions, in two talks: a conference paper and a talk on the main track.

eSAAM’24 conference paper at OCX24

The first talk is at the colocated scientific conference eSAAM’24, titled “Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code“. This talk presents a conference paper, authored by Henry Haverinen from Cyberismo, professor Tomi Janhunen from Tampere University, professor Tero Päivärinta from University of Oulu, Suvi Kaartinen from Cyberismo, Sami Lempinen from Cyberismo and Sami Merilä from Cyberimo.

The conference paper takes a deep dive into the foundations and the background of the Cyberismo solution. Here is the abstract of the paper.


Software development teams meet increasing requirements to implement cybersecurity management in compliance with standards and regulations. However, adopting a compliant cybersecurity management system and DevSecOps practices as part of a software development process has turned out to be tedious and expensive in practice. Open-source communities and open ecosystems, which lack tools and realistic practices for compliant cybersecurity management, face these difficulties as well.

This paper suggests a set of requirements and a solution that are based on long-term experience in adopting standard compliant DevSecOps processes in industry. The proposed solution, called Cyberismo, facilitates the adoption of compliance and cybersecurity management, improves collaboration on cybersecurity in company internal projects, cross-company projects, and open-source projects, and automates the compliance and cybersecurity management in software development by way of an open information model representation format, and an open-source tool to manage the information model. As the information model uses a simple plain text format that can be managed by automated DevSecOps tool chains, it can be understood as an instance of the Everything as Code and Security as Code paradigms.

The proposed solution is designed as modular, tailorable to the organisation and its existing tools, and flexible enough to model both process- and technology-related information. It automates both the validation of how compliance requirements have been met and the gathering and archiving of evidence of compliance.

The information model is mapped to a logic program conforming to the Answer Set Programming (ASP) paradigm for knowledge representation. The mapping enables flexible query evaluation and reasoning, including the calculation of performance measures and automated policy checks. However, developers, product owners and other end-users of the solution do not necessarily need to know how to write logic programs, as logic programs can be encapsulated in content modules made available for the users. By putting the ease of adoption of compliant DevSecOps processes by the practitioners in the spotlight, this paper concludes that it is both necessary and possible to meet all the proposed requirements.

Talk about security-as-code on the OCX24 main track

The second talk will be given by Henry Haverinen on the OCX24 main track and it is titled “Using security as code to survive the cybersecurity compliance tsunami in software projects“.

The second talk justifies the concept of security-as-code and presents two interesting and previously established solutions: the Open Policy Agent and the OSCAL ecosystem that has been launched by the National Institute of Standards and Technology (NIST). We will also discuss the Cyberismo solution.

Here is the abstract of the second talk:

Software development teams are facing a tsunami of new EU cybersecurity regulations, such as the Cyber Resilience Act and the NIS2 directive. In addition, there are increasing requirements to comply with cybersecurity standards, such as ISO 27001 for information security management systems or IEC 62443-4-1 for secure development lifecycle requirements in industrial product development.

In this talk, an experienced cybersecurity consultant will demystify what these regulations and standards mean in practice for software teams, why it is often tedious and expensive to implement them, and why especially open-source projects lack realistic tools and practices for compliance.

We will also discuss recommended ways to survive in the middle of this complexity. An emerging approach is to automate cybersecurity compliance by representing it in a plain text content format that can be managed in software version control similarly as code. We will discuss several examples of this emerging approach, including the Open Policy Agent, the NIST OSCAL ecosystem, and an open-source project that the speaker has co-founded.

Conclusion

If you’re attending OCX24, then don’t miss out on these sessions!

We’re looking forward to discussing the cybersecurity challenge and your experiences and insights into solving it. If you see someone wearing a bright orange hoodie with a Cyberismo logo on it, then just come and talk!

To learn more about the solution, please visit Cyberismo solution for an overview.