Cyberismo

Meet Cyberismo at the Open Community Experience 2024 next week! We'll be there to discuss new ways of making it smoother to adopt cybersecurity management and compliance in digital development. Software development teams are facing a tsunami of new EU cybersecurity regulations, such as the Cyber Resilience Act. In addition, there are increasing requirements to comply with cybersecurity standards, such as ISO 27001 for information security management systems or IEC 62443-4-1 for secure development lifecycle requirements in industrial product development. However, adopting a compliant cybersecurity management system and DevSecOps practices as part of a software development process has turned out to be tedious and expensive in practice. Open-source communities and open ecosystems, which lack tools and realistic practices for compliant cybersecurity management, face these difficulties as well. We'll discuss these challenges and some recommended ways to survive in the middle of this complexity in two talks at #OCX24: a conference paper and a talk on the main track. 1. Conference paper The first talk is at the colocated eSAAM'24 conference, titled "Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code". This is a conference paper, authored by Henry Haverinen from Cyberismo, Tomi Janhunen from Tampere University, Tero Päivärinta from University of Oulu, Suvi Kaartinen from Cyberismo, Sami Lempinen from Cyberismo and Sami Merilä from Cyberismo You can find the abstract of the paper here: https://lnkd.in/dWpMY9Ne (search for Cyberismo on the page) 2. Talk on the main track The second talk will be given by Henry Haverinen on the #OXC24 main track and it is titled "Using security as code to survive the cybersecurity compliance tsunami in software projects". The abstract of this talk is available at https://lnkd.in/dNiPUSCa

Make your own dataflow modelling tool I've been using many different tools for dataflow diagrams in threat models. Most commonly, I've used Structurizr for the C4 model, or Confluence and draw.io with suitable stencils. Even though they're great tools and notations, I've had some things I've wished were possible or would have been done a bit differently. In particular, it would be great to integrate the tool deeper with the secure development lifecycle process. What if you want to be able have an unlimited number of hierarchy levels and nested trust boundaries? What if you want to record the findings from threat modeling, interface specifications, decisions, or technology selections within the architecture model? What if you want to query the model, for example to produce a list of external interfaces? Fortunately, with the open-source Cyberismo solution, I can make my own modelling tool that does exactly what I want it to do, and so can you! In our current dataflow module, we just focused on the basic modelling. You model the hierarchical structure of your architecture in Cyberismo as cards, which is the basic information unit in Cyberismo. Cards can represent external entities, processes, data storages, and trust boundaries. Data flows are represented as links between cards. The solution will visualise the architecture automatically. Next, we're working on an open-source secure development content module that would integrate the dataflow modelling idea into a complete secure development process and threat modelling system. Follow Cyberismo on LinkedIn to stay tuned. You can find instructions for getting started with the Cyberismo dataflow module, along with more screenshots here: https://lnkd.in/dsNy2naU

Make your own dataflow modelling tool I've been using many different tools for dataflow diagrams in threat models. Most commonly, I've used Structurizr for the C4 model, or Confluence and draw.io with suitable stencils. Even though they're great tools and notations, I've had some things I've wished were possible or would have been done a bit differently. In particular, it would be great to integrate the tool deeper with the secure development lifecycle process. What if you want to be able have an unlimited number of hierarchy levels and nested trust boundaries? What if you want to record the findings from threat modeling, interface specifications, decisions, or technology selections within the architecture model? What if you want to query the model, for example to produce a list of external interfaces? Fortunately, with the open-source Cyberismo solution, I can make my own modelling tool that does exactly what I want it to do, and so can you! In our current dataflow module, we just focused on the basic modelling. You model the hierarchical structure of your architecture in Cyberismo as cards, which is the basic information unit in Cyberismo. Cards can represent external entities, processes, data storages, and trust boundaries. Data flows are represented as links between cards. The solution will visualise the architecture automatically. Next, we're working on an open-source secure development content module that would integrate the dataflow modelling idea into a complete secure development process and threat modelling system. Follow Cyberismo on LinkedIn to stay tuned. You can find instructions for getting started with the Cyberismo dataflow module, along with more screenshots here: https://lnkd.in/dsNy2naU

Wouldn’t it be nice to get more visibility on the progress of your information security management system? Our open source tool called Cyberismo is the perfect tool for this!   In the ISMS essential content module you can find examples of progress metrics that you might find useful. But as the tool is flexible, you can invent your own version of these progress metrics.   Ps. You don’t even have to bring all data in one place - as this is all based on logic, it is relatively easy to fetch data from other sources and convert it to the form that can be used in the progress calculations.   Ps2. More information available in Cyberismo documentation: https://lnkd.in/dXkBQvM5

To support incident management, open source ISMS essentials content module (created by Cyberismo) introduces a separate card-type for recording incidents. We have defined related workflow as illustrated in this picture.   What do you think about this incident workflow - is it too simplistic or good enough to work in practise? Would you add new states or transitions?   As Cyberismo is quite flexible with workflows, we can easily add new states and transitions and include them into this open source module to better serve the community.   Ps. Automatically generated Cyberismo documentation includes tutorial for installing ISMS essential content module: https://lnkd.in/dXkBQvM5

For security specialist it is clear that risks are related to assets and controls are related to risks, but we believe that formalising and visualising these connections makes this clear also for others. Check out my blog post about our newly published ISMS essentials content module to learn more: https://lnkd.in/dUScAYtY

On my way to Brussels, to the first face-to-face meeting of the Open Regulatory Compliance Working Group (ORC WG). Looking forward to meeting new people in the open-source cybersecurity community, and to working together on the regulatory challenges that open source is facing. Cyberismo is a member of the ORC WG. In terms of the EU Cyber Resilience Act (CRA), we are a manufacturer as we are making our open-source solution available in the market in the course of our commercial activities, mainly consulting and commercial support. Our goal is to set a good example on how to solve the CRA compliance challenge with our solution to other development teams.

This 15-minute video introduces and demonstrates Cyberismo, an open security-as-code solution designed to manage cybersecurity in digital development. Video: https://lnkd.in/dc3ymf8Q Conference paper: https://lnkd.in/d_zJkrHE

What do you need when improving an information security management system in a large international company? Our new customer story lists 5 factors that made Metso successful. Read more in the Cyberismo blog at https://lnkd.in/dZ5qBtEB P.S. Follow us here on LinkedIn to stay tuned!