Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
03:10 PM
Simon Marshall
Simon Marshall
Simon Marshall

Should Security Silos Still Stand?

DevSecOps would tear down every functional silo in security. Is that a good thing, or do corporate silos still serve a valuable purpose?

DevSecOps needs a big shake-up. Given IT security's rich heritage, the "security as code" movement is fairly freshly minted. Yet already it is simply not working as well as it should in practice.

The main issue stems from the way that operations, security and development work together. Recent history has taught us that security has taken a fairly tight rein in the three-way group, operating at one end of the DevSecOps continuum. At the other end, development has been frustrated and feels like its wings have been clipped. There needs to be a happy medium in this dynamic.

That's according to PJ Kirner, founder and CTO at Illumio -- considered a unicorn company -- a firm that segments data centers in order to adaptively try and stop security threats. [Editor's Note: A "unicorn company" is a startup company valued at $1 billion or more.] "The DevSecOps shift of control from Ministry of Security, aka 'the department of no,' to the model where the developer can do anything and everything, was an overcorrection," he said. "Next year, we will realize that that this should not be a democratizing movement (where) everyone gets a vote, but rather more of a republic model."

His view is that collaboration and productivity is undermined if security has too heavy a hand, but that the act of de-siloing to encourage constant software development should be done from a safer place.

"What I think is a challenge is that some people really take that to an extreme, and say, 'all these resources and all of these people are completely fungible'," Kirner told SecurityNow. "The level of expertise needed and the respect for the expertise has kind of gotten lost within the organization in the desire to break down the silos."

Organizations are apparently struggling to define exactly when de-siloing makes sense, and where expertise is critical to making projects successful. No one person is a subject matter expert in development, security and operations, so the real skill is being able to make good judgment calls, and not relying on a set-in-stone playbook or a rigid team structure.

It seems like next year will be a busy one for security. Alongside fixes for DevSecOps, Kirner foresees major changes in Personal Identifiable Information (PII) security. Few would disagree this has been an annus horribilis for widespread PII theft that has generated a black cloud on the horizon as people hunker down and hope their details have not gone missing.

There's a good case for reasoning that, in total, the majority of US citizens will have been affected by a combination of big attacks such as Equifax, Deloitte and Sonic Drive-In. It seems inevitable that this black cloud will soon burst, washing away countless identities.

"Our Identity is no longer ours. PII is no longer valid, since so much of it has been exposed in breaches over recent years," he said. He expects that the data stolen to date will be repurposed into another phase of attacks. For example, it could be weaponized to use in attacks on major institutions in the government, healthcare or financial verticals. The main danger here is that, because of the richer identity picture that hackers have been able to build over time, phishing and social engineering attacks -- already remarkably successful -- will become even more difficult to distinguish from the real thing.

"The scary part is that so much data has been lost -- huge pieces of people's lives," said Kirner. "Organizations needs to start taking securing their customers' data much more seriously. We need more agile and adaptive security controls that move at the real pace of the business."

One area of improvement, given that cyber-attacks are rampant, is to move into a damage control mode before an attack happens. Illumio specializes in micro-segmentation of data centers, essentially enabling businesses to containerize and thereby limit or totally isolate an attack before it spreads.

"If someone's building a submarine, and there's only one compartment, there's a breach, the ship sinks, and everyone is killed. But say you build a set of redundant compartments. Then if there's a breach, you close off the affected compartment and corral everyone to the mess hall. Everyone lives."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...