Application Security

2/15/2018
02:30 PM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Democracy & DevOps: What Is the Proper Role for Security?

Security experts need a front-row seat in the application development process but not at the expense of the business.

With the advent of the cloud and DevOps, the job of implementing security has been dispersed more widely across IT. This has led to significant gains in speed and agility, but it has also created unacceptable risk for the business. For security, the pendulum has swung too far toward democracy. We need to pull it back.

It's easy to forget that as recently as a decade ago, IT in a pre-virtualization/pre-cloud world looked very different from today. Software projects were measured in months if not years, and security teams had control and visibility over all that went out the door. This ensured less risk, but as dev teams tried to move faster, security quickly became the infamous "department of no." If CSOs weren't banning projects outright, they were certainly holding them up to ensure every possible door to a vulnerability was closed.

DevOps is a great frontier by comparison. These days, software and infrastructure teams are implementing new features and services at a remarkable place, aided by higher-level tools and a myriad of third-party services in the cloud. Just this past year alone, swift advances in areas like containers and serverless computing have allowed dev teams to do far more with less.

It would be unfair to say developers aren’t attuned to the needs of security — the constant drumbeat of major breaches means that everyone is now aware of the need to lock down applications and data. And the major cloud providers have invested heavily to secure their infrastructure and provide built-in tools and protocols for securing data and connections.

But this is precisely the challenge. As DevOps turns to these off-the-shelf mechanisms to secure applications, they fall prey to an illusion of security. That's not a criticism of cloud providers; it merely reflects the reality that security in the enterprise is highly complex. Organizations develop security policies for a reason. Not all data is equal, and highly sensitive information, such as customer or financial data, must be afforded higher levels of protection. 

Networks and systems are also complex, and potential attack vectors aren't always apparent when applications are built quickly and modified frequently over time. Security experts need a front-row seat in the DevOps process, because they are the individuals uniquely trained to identify these vulnerabilities. But in the democratic model of security, their role is too often reduced.

Clearly, we do not want to roll back the advances of recent years and inhibit the ability of dev teams to innovate quickly. But developers, ops, and security teams must each acknowledge their respective areas of expertise and work together to ensure that the risks inherent to moving quickly without sufficient care are mitigated.

Security must not be a bottleneck, but the democratization of security through DevOps has been an overcorrection to the time when security had absolute control. If the right model for security is not a pure democracy, where everyone has an equal say in policy and no one is ultimately responsible, then we should think of it more as a representative democracy — where power resides in the people, but that power is exercised through elected representatives.

What does this imply for application development, IT operations, and security governance? That the elected security representative — the CSO — is accountable to the organization and therefore carries out its will (no more "department of no"). But the CSO also has authority to decide how that will should be implemented, because ultimately, it's the CSO who is accountable for keeping the business secure. 

Getting to the model of a representative democracy requires a change in how security, dev, and ops teams work together today. Here are three best practices to help make this happen.

  • Each team must recognize the knowledge the other teams bring to the table. While there needs to be a baseline understanding, no single constituent can be specialized in all aspects of application development, deployment, and security. Without respecting each other's expertise, there's no way to move fast and be secure at the same time.
  • Consider new training to ensure teams know the limits of their knowledge and the needs of the other teams. For security professionals, this means keeping up to date with the latest development methodologies and services in the cloud. For developers, it means learning the limits of their security knowledge, and knowing when to ask a specialist for help.
  • Teams need to meet regularly to review their shared understanding and raise needs for specialists on the projects they are working on. Cooperation happens only through proactive dialogue. Put a monthly meeting on the books today.

Automation, virtualization and the cloud have brought sweeping changes to how applications are developed and delivered. IT is a far more exciting and dynamic place to be than it was just a decade ago, and technologists have far more impact on the success or failure of business. But that also brings new levels of responsibility. A single security incident can affect the valuation of an entire company. Dev teams and security staff must work together to ensure this does not happen.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...