It’s hard to ignore Mercury. Mercury at a searing 800 degrees zips around the sun in 88 days, churning out its revolutions with little regard for anything else. Just like honey badger, Mercury Don’t Care. Appropriately enough, it was named after a Roman god, who, among other titles, is known as the God of Commerce.
Mercury is a great analogy for the speed and intensity of business today.
Pluto, which lost its seat at the table and isn't even a planet anymore, runs at a cool 380 degrees below zero. It takes 90,000 glacial days for it to make its way around the sun. Like the Greek god of the underworld, it sort of just lurks there behind the scenes, barely noticeable until tragedy strikes.
Like Pluto, security lives on the margins of the business world. Also like Pluto, security is at risk of losing its seat at the table.
One would be foolish to ignore the relationship between these two distant brothers. How to bring this estranged kin together? Zip up your parka, grab some sunscreen and let’s give it a shot.
The Planetary Ice Breaker
Mercury meet Pluto. Pluto meet Mercury. Security and business run in different orbits, but the time has come to collaborate. Business has been forging new ways of doing things with DevOps-like concepts (lean and agile anyone?) for quite some time while security has been more or less stagnant. Security is not keeping up, and just like Pluto, it’s about to lose its seat at the table.
Security talk can be dry, making it a tough sell to executive management. However, security expertise is vitally important to today’s business. Notice, I didn’t say security software. Security expertiseis necessary. James D. Brown, Chief Architect at Jumpcloud, in an article entitled, “Mythbusting: DevOps and Security”, states:
Most developers are not security experts. Security experts are needed now, more than ever, to partner with the other skill areas, and ignoring this is a great way to become the next hacker conquest.
Culture is even more important when integrating security into the development process. Patrick Debois, who coined the term “DevOps”, said:
Culture is the most important aspect to DevOps succeeding in the enterprise.
The first step in building a security culture into your DevOps organization is to give your security data some context and turn it into insights. Providing these insights to your development and operations groups will build security culture into the great DevOps process.
The Meteors of Change Are Coming
The hardest puzzle is still easier than a game against an adapting opponent.
Said another way, is that if you keep using the same defensive strategy and same defensive techniques, a dedicated opponent will figure it out.
For decades now, application security has had the same tired security techniques. The techniques have all look good on paper, but they have been ineffective and resulted in large numbers of compromised records annually. Enterprise has tried compliance, but this simply puts the “right” pieces in place with no emphasis on how they work. They have tried Web Application Firewalls. Yet we are still being hacked. We’ve even tried advancements in risk management techniques. But this is all hand waving and guessing at what threats you can really expect. When the attacker is intelligent and adaptive, you’re never really sure of your security. You’re simply guessing.
A more proactive and comprehensive way to do security is interactions based security. Where can attacks occur? What is the scope? Where are your systems? How do people interact with them? How do individual applications interact with the rest of the system?
The DevOps approach responds to attacks by reacting, adapting, and making changes in real time. Security threats are addressed as they are seen rather than trying to fix them before they occur. Security can’t be the lumbering basketball center, camping in the lane and waiting for an attack to happen. Security must be in constant motion, looking for attacks from all over the court. Security can be invited to the party with open arms if it helps developers and operations do their jobs better and more efficiently. Here are some points to consider:
- Create a defense mechanism that analyzes behavior. How are people using the application and network? When are they working? Can you find anomalous traffic and requests or connections in real time? Is there odd or suspicious activity occurring on the network or in an app? The most innovative security technologies are thinking in this manner and looking for points where reality deviates from normal expectations.
- Add application security telemetry. You have to detect before you can analyze. As it’s been said before, if it’s not monitored, it doesn’t exist. Measuring and monitoring security data provides context and pushes all the members of a team onto the same page. This acts as a forcing function on application security cultural change.
- Integrate security assessment into the development process. Assuming you’ve crossed the cultural divide, testing must be included in every aspect of the development process. Security focused DevOps projects inject code analysis tools that can enforce fixes prior to deployment. They automate attacks against pre-production code, and prevent that code from reaching production if they’re successful, and they continually assess the production environment for weaknesses and attacks in progress.
- Demystify and automate security tooling. Security tooling is not rocket science. Sit down with your development and operations teams and walk them through how it works. It’s just another component they must be familiar with to push the best possible product into production in the most rapid possible time frame.
- Minimize your threat landscape. Reduce available ways of being attacked, such as removing unnecessary software, usernames or logins, and unnecessary services.
- Audit your infrastructure and code using config management. Who has access? To what? When? From where? Run nightly audits of your hardening using config management, and/or test hardening every time you run config management.
The Solar System Is Changing
Remember, Pluto hasn’t been considered a planet for almost 10 years. Security can’t pine for the good old days of a system that is powered off and unplugged. That scenario just isn’t available. Today’s development processes are becoming the new standard, and all too often security is marginalized. Security can’t be an add-on, a supplement, or an afterthought anymore. It has to be, as Dan Kaminsky puts it, “a first class requirement”.
Signal Sciences’ industry first Next Generation Web Application Firewall was built in response to our frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps and cloud adoption. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security prioritization based on where your applications are targeted, and blocking attacks without breaking production traffic.