Whenever engineers discover a new security issue, the question arises every time: is this an exploit or vulnerability? What is a software vulnerability? How does it…
In days gone by, highly regulated industries like pharmaceuticals and finance were the biggest targets for nefarious cyber actors, due to the financial resources at banks and drug companies’ disposal – their respective security standards were indicative of this. Verizon reports in 2020 that, whilst banks and pharma companies account for 25% of major data breaches, big tech, and supply chain are increasingly at risk.
Surely then, the way to protect against vulnerabilities and nefarious activities is to rigorously enforce security standards? Wrong.
In this piece we’re going to examine the landscape of information security policies today, and how new approaches and tools make security seamless.
Security standards come in all shapes and sizes, some are relevant to developers, whilst some are more relevant to how a whole organization holds and handles data. Traditionally, security standards are enforced by an individual – typically an infosec or compliance persona. This approach has two flaws – the enforcer’s distance from the developers, and the broad strokes of infosec standards.
Under this model, and particularly in big companies, information security and compliance is governed by separate teams or individuals. These people are normally non-technical and are logically separated from the development team. This means that the enforcers of security standards don’t always understand the implications of what they are enforcing, nor the people upon who they are imposing the standards.
Additionally, recent research has shown that the security standards that we all know are applied like blankets from industry to industry. With no specificity for development methodology, organizational resource, or data being handled, these overarching principles don’t engage the developers that should be adhering to them.
All this comes down to a reliance on people, be it compliance professionals or developers, to understand, enforce, and implement these policies. This is not only a manual task, but it’s also onerous and doesn’t embrace the models of successful agile product development and release.
If you’re familiar with Disney’s The Mandalorian, then you’ll know the unending mantra of “this is the way”, uttered by all members of the secret sect. DevSecOps has shown the technology industry that dictated standards aren’t the only way.
A shift-left mentality, DevSecOps requires organizations to bridge the gap (and in some cases, absorb the space) between development and security. An article on the rise and success of DevSecOps outlined three defining criteria of a true DevSecOps environment. First, developers should be in charge of security testing. Second, fixing security issues should be wholly managed by the development team. Third, ongoing security-related issues should be owned by the development team.
Whilst the principles for DevSecOps success are straightforward, the practices are often less so. Creating a secure-by-design architecture and coding security elements into your applications are key ways of breaking down the silos that security standards created.
Gartner states that cultural and organizational roadblocks are the largest impeders to the unification of development and security operations individuals and teams. Looking at research from Gartner, surveyed CIOs and leading software vendors, security should be wrapped around DevOps practices, not just shoved into the mix.
What does wrapping security around DevOps mean? In theory, it’s allowing the expertise of SecOps engineers and compliance professionals to impact development. In practice, it means allowing these professionals’ knowledge of the changing security and threat landscape to permeate in day-to-day DevOps activities.
Take Kubernetes for example. It provides network policies, which under the traditional model, may be allocated as part of an overarching InfoSec strategy. Neither dynamic nor totally secure, this is setting yourself up for failure. Implementing Zero Trust Networking is a DevSecOps mindset which, with tools like Istio, gives a service mesh providing both application and container-level security through alerting policies and active prevention.
Alerting is key. It takes away the idea of rigid security standards and instead provides the flexibility of implementable policies throughout the application and network layers. In an article covering the DevSecOps keys to success, there is one recurring theme – use whatever tools at your disposal to increase process speed. A mature monitoring and alerting system is the lynchpin to rapid security and development practices and provides the foundation for automation.
By integrating monitoring and alerting capabilities into a SIEM dashboard, security events can be analyzed in a cross-cutting way to tie together many extraneous factors which would otherwise be disparate. Adding automation, even something as simple as advanced messaging, on top shortens response time and guarantees uptime. When so much of DevSecOps is reliability engineering, your monitoring and alerting tool is the quarterback in your stack.
Out-of-the-box fully wrapped SaaS monitoring and altering with built-in threat detection – “this is the way”.
Coralogix provides policy-based analysis to support your monitoring. On top of that, you get alerting with myriad integrations to plug into every component of your stack. This alerting allows for sophisticated policy creation based on security requirements, empowering a true DevSecOps mentality and workflow within your organization.
Features like Flow Anomaly, ML-powered Dynamic Alerts, and a simple Alerts API mean you no longer need rigid security standards. Intelligent, inbuilt policies guarantee your applications and infrastructure can stay protected and progressive.