In the wake of the Equifax breach, many companies are probably wondering if this could happen to them. The answer, unfortunately, is likely yes. As more companies rely heavily on software, the likelihood of this type of disaster increases, as does the damage such incidents can do. After almost 20 years of struggling to build secure web applications and APIs, is the situation hopeless?
The problems that security wrestles with are strikingly similar to the problems that DevOps addresses in software development. DevOps has shown dramatic benefits: It has a five times lower change-failure rate, it has a 96 times faster mean time to restore service, and it's two times as likely to exceed business goals.
Security has numbers too, but they're not inspiring: The average application has 26.7 serious vulnerabilities, 82 percent of breaches in financial organizations are due to applications, and the average breach costs $4 million.
So perhaps DevOps can provide a path to a better way of achieving security. Here are interpretations of the "Three Ways of IT" from The Phoenix Project by Gene Kim, that can translate for security.
1. Establish security workflow
Security work is elusive. It might seem as though successful security means "nothing happens." This can lead to a culture of just "doing stuff" instead of delivering value. So, the "First Way of Security" is to ensure that you're delivering what the business needs. This starts with truly understanding the work and breaking it down so that you can deliver it efficiently.
Whether it's vulnerability assessment, threat modeling, building defenses, intrusion detection, compliance, or any other security work, the First Way teaches you to break these jobs down into small batch sizes that can be executed efficiently. In many cases, this work can be staged in a way that can be delivered as part of ordinary software development work, without security experts getting involved.
Consider reorganizing security work to focus on a single risk at a time. Rather than doing a huge monolithic risk and vulnerability assessment that covers everything, pick your most significant risk and perform all of the steps, including threat modeling, implementing defenses, security testing, and incident response. This workflow should quickly deliver working defenses for this single risk, as well as an effective infrastructure to provide continuous assurance.
By recasting security as a concrete deliverable, organizations can not only improve their results dramatically but also create alignment across their organizations.
2. Ensure instant security feedback
The "Second Way of Security" focuses on ensuring that you have tight feedback loops to prevent risks from getting out of control (and expensive). The typical organization has very long security feedback loops–sometimes annual, sometimes triannual—before problems are identified and fixed.
To achieve security, organizations must know and understand all the code they are running across their enterprise. You can't secure what you don't know. So, the Second Way recommends establishing a fully automated application and API inventory system where all servers continuously report not only what software they are using, but all open source components and their version numbers.
The Second Way also involves establishing continuous security verification across the application portfolio. With newer application security technologies like Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), organizations can get instant security feedback and deliver it to the required team members using the same tools already in use.
3. Encourage a security culture
There are some companies that consider security as a part of everything they do… and then there are the companies that get hacked. Achieving this "security culture" is not easy, and must start at the top. The "Third Way of Security" is designed to help you create that culture of experimentation and learning that security needs.
One way of thinking imagines security as an emergent property—the result of the constant tension between attackers and defenders. It's an organization's rate of evolution that matters. How fast can you adapt to new threats and vulnerabilities? To build security up quickly, work on accelerating the cycle time for security within your organization.
Another key practice is to embrace both vulnerabilities and attacks as opportunities to learn. Many organizations shroud security in secrecy, hiding details of both vulnerabilities and attacks. This yields a culture of secrecy and fear. Establish the infrastructure you need to be aware of who is attacking you, what attack vectors they are using, and what applications and APIs they are targeting. Make "security in sunshine" your goal, and encourage everyone to participate without retribution.
Reimagine your security
For all the talk about DevSecOps, Rugged DevOps and so on, most organizations haven't done much beyond automatically pushing the "scan button." This does almost nothing to address the challenges in security, and it disrupts the DevOps pipeline with long delays, false positives, and PDF reports.
Instead, follow the proven path of DevOps by changing your security fundamentally. With these Three Ways, you can redefine the work of security so that it can be done by DevOps organizations with minimal interference from security specialists.
You can accelerate this work and deliver what the business values, rather than slowing the business while simultaneously delivering an incomplete solution. And you can eliminate security exceptionalism and create an organizational culture where security is truly part of IT.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.