New global data from Checkmarx reveals that 92 percent of organizations struggle to implement security into DevOps — even though they say they want to. The heart of this issue is the common misconception that security slows things down, which leads to the common practice of skipping security measures in an effort to get things done.
While this approach may seem to create a payoff in terms of productivity, any gains are short term at best and are always offset by the fact that the company is at greater risk for a breach.
But the truth is, speed and security are not mutually exclusive, and you can effectively integrate security into operations throughout your organization if you follow SecOps best practices.
With that in mind, we’ll use this post to walk through the three major questions your organization must ask as it moves toward operationalized security.
Before diving into the post, however, take a look at details on our upcoming webinar — “How to Spend Your Security Budget in a DevOps World.”
Upcoming Threat Stack Webinar: How to Spend Your Security Budget in a DevOps World
Security budgets are trending upwards – in fact, they are expected to increase by 19% over the next two years – but is this enough to keep pace with developers as infrastructure continues to evolve?
The biggest challenge for most organizations is choosing a scalable solution that will fit the budget. In this webinar, Mark Moore, Threat Stack Sr. Software Security Engineer, and Kevin Durkin, Threat Stack CFO, will speak about the current state of security budgeting and where to best allocate your security spend. In this webinar, they will cover:
- Findings of Threat Stack’s just released State of Security Budgeting in 2018 Report
- How to leverage DevOps tools for Cloud Security
- CFO’s take on security budgets and vendor selection criteria
Live online Nov 8 at 1:00 PM ET or on demand after 60 mins
Question #1: Who Owns Security?
So, who owns security? This a trick question because security is everyone’s responsibility, and a culture shift needs to take place to get everyone on board.
All employees should have some kind of security training that aligns with their job roles. For developers, secure code training from SANS Institute or OWASP could become a part of new hire onboarding as well as ongoing professional development. To help foster collaboration, you could seat Security and Development teams next to each other so that security personnel learn DevOps best practices while Ops learn about security.
Finally, don’t forget that it sometimes takes numbers to convince people about the value of a new initiative. For ideas on how to “sell” the value of security to your organization and encourage participation from all employees, take a look at this post by Threat Stack’s CFO.
Question #2: Have We Embraced Automation as Fully as Possible?
At Threat Stack, we recommend automating as much as possible. It’s a great way to increase speed, ensure repeatability, and reduce error and risk throughout your organization.
Because automating everything is a big undertaking, we recommend starting with a few specific functions. Here are a couple of examples:
- Permission Changes on Files: This can often indicate an exploit, which is why file permissions shouldn’t be edited manually on host machines. If this happens, it could mean that an unauthorized file has been downloaded and a user or script is attempting to execute it. You can automate permission changes and also set up alerts so that any time permissions are changed, you receive a notification.
- User Privilege Escalation: Similarly, SecOps teams should monitor privilege escalations in production. These can be early indications of a breach — especially insider threats. Instead of setting up privileged access manually, you can automate the escalation of new privileges in production environments using configuration management scripts.
Question #3: Are Our Tools Built Into Existing Workflows?
Security companies like Threat Stack are under a lot of pressure to keep data secure while still continuing to innovate on product development. At the end of the day, we need tools that make people’s lives easier, simplify processes, and make security a natural part of workflows. Most of all, we want to ensure that if you are trying to get a job done quickly, you can still do it securely. So when existing products don’t allow us to achieve these goals, we build in-house.
To that end, here are a few of the tools we’ve built:
- Deputize – On-call rotation response management
- Authkeys – Public key authentication
- VPNNotify – Slackbot to report unauthorized logins
Another useful tool that we use in-house, but is not yet available for wider use, is a command line tool that generates temporary AWS user credentials for accessing AWS resources like databases. This embraces the security concept of using short-lived tokens to access sensitive resources, something developers and operations personnel use every day.
Question #4: Bonus Question
We’ve gone through the top three questions you should ask when operationalizing security at your organization.
But we have one more: Have you read our SecOps eBook for Cloud Infrastructure Part II: Practitioner’s Guide for Security & Operations Teams?
In this new eBook, we explore specific people and process improvements you can make to start operationalizing security best practices at your organization.
After reading this guide, you’ll be ready to create a more mature SecOps organization by replacing unstructured, ad hoc tactics with defined, repeatable, automated processes that every team can buy into and benefit from.