Cybersecurity breaches get headlines. So when destructive attacks like WannaCry and Petya strike, everybody pays attention.
That’s good because cyberattacks are a real and constant threat. And if you don’t properly defend yourself against that threat, you put your business, your employees, your customers, your suppliers and the entire digital ecosystem at risk. In fact, research conducted by the U.S. Department of Homeland Security (via CSO) found that 90% of security incidents happen because of defects in software.
But there’s also a significant downside to headline-driven security. Effective cybersecurity is not a game of whack-a-mole. It’s a highly challenging endeavor that requires rigorous discipline -- especially when it comes to optimizing the allocation of your company’s very limited cybersecurity budgetary and staff resources. So if you throw those resources at a headline just because it’s a headline, you’ll lose.
And there’s definitely a much better way to go about protecting yourself.
The Real Threat Matrix
Ransomware is one threat. Denial of service is another. Privileged insiders with malicious intent are yet another.
In fact, Verizon’s annual Data Breach Investigations Report for 2017 taxonomized threats into nine different categories, and 88% of breaches fell into those categories. This stat alone indicates that whatever the threat of the week may be at the moment, it’s just one of many.
Just as important, the threat matrix as documented globally is not identical to the threat matrix your company is experiencing individually. The threats companies experience vary by industry, size, technology portfolio, brand visibility and sheer happenstance. So while it’s wise to stay informed about that global reality, your resources are best allocated in a way that aligns with what it is you have to fight off.
And your company’s cyberdefense strategy shouldn’t just align with the particular set of threats you’re experiencing at any given time. Your defense should also align with what it is you most need to defend. For some companies, those treasures are trade secrets. For others, it is customers’ sensitive personal health information. But your defense priorities are uniquely your own.
The bottom line: No one can afford to defend everything against everything. Excellence in cyberdefense is about defending the right things against the right things as efficiently as possible.
A Culture of Defense
By 2019, Gartner predicts that "70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components." This raises two urgent questions: How can I cultivate a true culture of security within my organization? And once I have done that, what ongoing best practices can I implement?
A shift toward a culture of security begins at the top of the organizational chart. Having executives on board with a full commitment to security that is built directly into the development process is a pragmatic method to weigh the true cost/benefits and risk/reward. Regardless of the associated cost (time, resources), it is well worth it when considering the repercussions of a security breach. As Yahoo found out, the fallout can be cataclysmic.
Embedding security into the fabric of your culture is also facilitated by fostering openness, ongoing learning and ease of sharing information. The finger-pointing game between development and security can be reduced with a collaborative environment that ensures everyone’s security aptitude is at the appropriate level.
A strategic approach to implementing a culture of defense is to build security directly into the development process. By evolving from mere DevOps to DevSecOps, companies can more effectively mitigate risk while also reducing security costs.
With this in mind, here are a few DevSecOps best practices for you to consider when thinking about integrating security into the development process:
1. Test before you trust: According to Sonatype's 2017 DevSecOps Community Survey (registration required), only 27% of DevOps organizations perform app security analysis at every stage of the software delivery cycle. As you are rolling out code, take precautions to test for security issues throughout the development process. Having an extra pair of eyes is never a bad thing, either. You can even incentivize your team with a bonus for every issue found.
2. Keep processes clear and simple: Eliminate guesswork when it comes to your security guidelines and policies. Determine what minimum levels are acceptable and make sure they are easily understood by the entire team. If it is easy enough to keep in your head, you’ve done it right. The goal is to make it impossible for DevOps teams to skip over security.
3. Lifelong learning: A true culture of security isn’t created with a single training session. Various training meetings should be held periodically throughout the year. As the collective team’s IQ grows, so should the difficulty level of the training. A recent white paper by DevSecCon shares that it is also valuable to teach developers about the attacker’s perspective, practical hacking exercises and vulnerable applications.
4. Automate wherever possible: Put security controls in place that do not require manual configuration throughout the DevSecOps cycle. This reduces the likelihood of misadministration and mistakes happening, which, according to Gartner, are the leading cause of incidents, unforeseen downtime and successful security attacks. Additionally, automation helps ease the burden placed on security professionals having to do manual configuration, which can negatively impact the agility of DevOps environments.
A recent study by CA’s Veracode business unit revealed that only 18% of developers are measured on their security practices, while 33% are measured on how well they deliver application functionality.
Putting aside the fact that 33% itself is a low number (indicating that developers are generally not well-measured), the 18% is borderline irrational. If a company truly wants to protect itself digitally, then it is clearly imperative that its core applications be highly secure. That’s not going to happen if developers are allowed to produce non-secure software -- and companies then try to somehow secure those inherently non-secure applications with a bunch of add-on technologies and processes.
In other words, beware of headline-driven security. It’s far better to be proactive with strong threat intelligence, best practices for DevSecOps and a true culture of security. You’ll likely spend less and be safer.
