Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/15/2018
02:30 PM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Democracy & DevOps: What Is the Proper Role for Security?

Security experts need a front-row seat in the application development process but not at the expense of the business.

With the advent of the cloud and DevOps, the job of implementing security has been dispersed more widely across IT. This has led to significant gains in speed and agility, but it has also created unacceptable risk for the business. For security, the pendulum has swung too far toward democracy. We need to pull it back.

It's easy to forget that as recently as a decade ago, IT in a pre-virtualization/pre-cloud world looked very different from today. Software projects were measured in months if not years, and security teams had control and visibility over all that went out the door. This ensured less risk, but as dev teams tried to move faster, security quickly became the infamous "department of no." If CSOs weren't banning projects outright, they were certainly holding them up to ensure every possible door to a vulnerability was closed.

DevOps is a great frontier by comparison. These days, software and infrastructure teams are implementing new features and services at a remarkable place, aided by higher-level tools and a myriad of third-party services in the cloud. Just this past year alone, swift advances in areas like containers and serverless computing have allowed dev teams to do far more with less.

It would be unfair to say developers aren’t attuned to the needs of security — the constant drumbeat of major breaches means that everyone is now aware of the need to lock down applications and data. And the major cloud providers have invested heavily to secure their infrastructure and provide built-in tools and protocols for securing data and connections.

But this is precisely the challenge. As DevOps turns to these off-the-shelf mechanisms to secure applications, they fall prey to an illusion of security. That's not a criticism of cloud providers; it merely reflects the reality that security in the enterprise is highly complex. Organizations develop security policies for a reason. Not all data is equal, and highly sensitive information, such as customer or financial data, must be afforded higher levels of protection. 

Networks and systems are also complex, and potential attack vectors aren't always apparent when applications are built quickly and modified frequently over time. Security experts need a front-row seat in the DevOps process, because they are the individuals uniquely trained to identify these vulnerabilities. But in the democratic model of security, their role is too often reduced.

Clearly, we do not want to roll back the advances of recent years and inhibit the ability of dev teams to innovate quickly. But developers, ops, and security teams must each acknowledge their respective areas of expertise and work together to ensure that the risks inherent to moving quickly without sufficient care are mitigated.

Security must not be a bottleneck, but the democratization of security through DevOps has been an overcorrection to the time when security had absolute control. If the right model for security is not a pure democracy, where everyone has an equal say in policy and no one is ultimately responsible, then we should think of it more as a representative democracy — where power resides in the people, but that power is exercised through elected representatives.

What does this imply for application development, IT operations, and security governance? That the elected security representative — the CSO — is accountable to the organization and therefore carries out its will (no more "department of no"). But the CSO also has authority to decide how that will should be implemented, because ultimately, it's the CSO who is accountable for keeping the business secure. 

Getting to the model of a representative democracy requires a change in how security, dev, and ops teams work together today. Here are three best practices to help make this happen.

  • Each team must recognize the knowledge the other teams bring to the table. While there needs to be a baseline understanding, no single constituent can be specialized in all aspects of application development, deployment, and security. Without respecting each other's expertise, there's no way to move fast and be secure at the same time.
  • Consider new training to ensure teams know the limits of their knowledge and the needs of the other teams. For security professionals, this means keeping up to date with the latest development methodologies and services in the cloud. For developers, it means learning the limits of their security knowledge, and knowing when to ask a specialist for help.
  • Teams need to meet regularly to review their shared understanding and raise needs for specialists on the projects they are working on. Cooperation happens only through proactive dialogue. Put a monthly meeting on the books today.

Automation, virtualization and the cloud have brought sweeping changes to how applications are developed and delivered. IT is a far more exciting and dynamic place to be than it was just a decade ago, and technologists have far more impact on the success or failure of business. But that also brings new levels of responsibility. A single security incident can affect the valuation of an entire company. Dev teams and security staff must work together to ensure this does not happen.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.