October 30, 2015
I used to think that security and risk (S&R) pros were a little paranoid by nature as if it was part of their DNA. In my past when I was working on developing applications, my only real interaction with S&R pros was an email with a report listing lots of potential vulnerabilities right before the release of the product. Security testing always seemed to be the last step. We’d scramble to fix anything that was quick and easy, defer anything critical and hand wave the other issues hoping to get exceptions. I never really internalized any clear and present danger. But I’ve been researching how I&O pros can help shore up application security and my eyes have been opened. Turns out that if S&R pros are paranoid, it’s because they know more than we do. Here’s the truth of it: your customer facing applications are being probed for weaknesses. Constantly. And they will continue to be probed as you introduce new features and functionality. Worse yet, malicious attackers are highly skilled, resourceful and determined. And more often than not, we are leaving our applications open to attack. Here’s some of the unsettling facts I discovered and documented in my new reports Five Steps To Reinforce And Harden Application Security and The Seven Habits Of Rugged DevOps:
· 47% of web applications have unprotected file issues due to web server misconfigurations.
· 63% of companies have no clear and complete idea of the third party components used in their applications, and 23% of components in a typical application have known vulnerabilities
· Fortune 100 firms have had a material loss of intellectual property trade secrets and sensitive organizational data in the past two years.
· The median number of days that threatening groups were present on a victim's network before detection was 205 in 2014, and only 31% of victims discovered the breach themselves.
We are essentially putting out door mats and welcome signs on our applications for malicious attackers. Unfortunately, the problem of the past was that we, both development and operations, got the security report too late in the development process. Security wasn’t designed and then tested throughout the life cycle to ensure that it was baked into the product. The good news is that the continuous delivery pipeline developed through methods such as DevOps gives operations, development and S&R pros a new way of proactively working together. We can use the continuous delivery pipeline to:
· Insert automatic security testing early and often. Using the automation in the continuous delivery pipeline, a variety of security testing can be inserted as early in the life cycle as possible and used as quality gates for release. This gives feedback into development and operations as close to the time of making the change as possible so that any issues can be rectified quickly.
· Create an audit trail. Not only are audit trails useful for actual audits but S&R pros and I&O pros use this trail to understand what has changed and when to reduce MTTR and understand which applications are affected when vulnerabilities are found. All of this comes for free when the automated tools of the continuous delivery pipeline are used to create changes in code and infrastructure.
· Release fast to respond to vulnerabilities. We can’t prevent every attack. But once we know of a vulnerability, we can release fixes fast to prevent greater exposure.
For more information on how to use the continuous delivery pipeline to secure applications, please take a look at the above mentioned reports. Let’s partner with our S&R colleagues and make it hard for those malicious attackers to exploit our applications!