The Bifurcation of Security
In recent years, we’re seeing a clear split within the security community. There’s the “traditional” enterprise security focused on auditable controls, segregation of duties, approvals, change management, etc. These traditional controls are well-aligned with the waterfall model, but when applied to Agile software delivery organizations, a disaster inevitably occurs.
And then there’s the “modern” approach, inevitably developed as a response to the Agile revolution and adopted by fast-paced software development organizations and cloud natives. Turns out, managing security risk in an environment where speed is one of the most important factors requires a different mindset, thus bringing things like DevSecOps to life. One has to account for the fact that “we cannot deliver value faster than the competition” is equivalent of running a significant risk of being out of business.
The traditional and Agile approaches to security are not very compatible, and you don’t have to go far to find examples of this. Take DevOps, and compare it to the classic security and compliance requirement of ensuring developers don’t have access to production systems. One is not inherently better than the other until you specify the context in which they’re applied.
Interestingly, audit standards, such as SOC 2, are heavily aligned with traditional approaches. This results in stress and significant challenges for tech companies when aligning their internal processes with the requirements of the standard.
Modern-Day Security Challenges
The aforementioned split didn’t happen randomly. It was a response to the modern-day challenges that organizations and security teams are facing. Let’s highlight some of these challenges to understand what is driving the change in the security mindset:
- Speed kills? Increased velocity, and in particular optimized Flow Time, is one of the core benefits of the Agile approach. Security processes that get in the way of speed are likely to be ignored or discarded. A related trend is the drive towards autonomous teams. When developers need to wait for a security review, done by a separate group, that does not align well with increasing velocity.
- Cloud-first and API-driven stacks are the norm for today’s software solutions, which brings the challenge of secrets management to the frontlines. The medieval-inspired approach of “tough on the outside, soft on the inside” no longer works when your cloud infrastructure APIs are accessible from anywhere with appropriate credentials.
- The complexity of the emerging technologies has an increasing impact on security. In some cases, we have to adopt new tools when we still don’t fully understand how they work or what attack surface they have. In the era when “built-in security” is a fashionable buzzword, it’s astounding to realize how many software products feel like security has been an afterthought (no authentication out of the box anyone?).
Securing the Value Stream
There are whole books written on modern approaches to information security, so without any claims of comprehensiveness, here’s some of the things that might help drive security that is practical and aligned with organizational goals.
Holistic approach. Security does not work well in isolation. In particular, security should take into account the end-to-end value stream. Our product is not our source code, it is the packages, images and configurations running in a production environment, Cloud or on-prem alike. The risks can arise at any point throughout that value stream, from the architecture and source code, to third party components, build pipeline and operational environments. By not looking at the whole picture we are risking spending efforts on the wrong problems.
Shifting left. Security issues are a ticking time bomb. The cost of fixing them multiplies several times over at each step of the value stream. Implementing processes aimed at identifying potential security issues as early as possible improves the flow by addressing issues at the point of origin. An excellent example is static code analysis – by employing tools that highlight potential issues right at the time the code is written, one can save an enormous amount of time reviewing, triaging and fixing the results of a static code analysis scan that is done once a month. Such shift increases velocity and autonomy and squashes wait time.
Optimize for speed. Security controls that significantly slow down your engineering teams will not survive for long. Automate whatever can be automated. As autonomy is being recognized as one of the cornerstones of efficient engineering, the role of security professionals becomes more of an enabler, with ultimate responsibility for product security lying with Engineering. As much speed is a challenge, requiring us to rethink how we do security, it is also a blessing. When you can address a security issue and deploy the fix within a day of it being discovered, you significantly reduce exposure time and become inherently more secure.
Metriken play an important role in the continuous improvement process, you cannot improve what you cannot measure. As an example, Flow Distribution might help you answer questions like “do we allocate enough throughput towards reducing risk?”, “are we spending more or less time on security fixes?” and help management make strategic decisions.
Mitigating risk and security through Value Stream Integration
A key part of managing security risk and defects is being able to see them; you can’t fix what you can’t see (at least not until it’s too late). And that’s not easy to do in enterprise software. The bigger the application, the larger its attack surface. Auditing has never seemed so much like building a house of cards in the wind.
As systems scale to serve more customers and cloud adoption continues to drive everything online, it can often feel like trying to spot an assassin in a sea of people. But what if we could put a bright pink hat on them to follow them through the crowd? Well, Value Stream Integration does just that. By connecting all tools involved in the planning, building and delivering of software including Application Security tools like our close partner WhiteHat – we make invisible knowledge work (and dangerous byproducts) visible and easier to address.
By integrating Agile Planning tools with WhiteHat and other tools in the value stream, everyone has real-time visibility into red flag issues as they arise. Faster detection, faster resolution without all that slow, cumbersome and error-prone manual work through spreadsheets, tool-switching, email threads and so on. Given what happened at Equifax, do you really want to test fate with such a porous, quicksand approach? Automation through Value Stream Integration is a godsend in that respect.
Contact us today for more information on integrating WhiteHat and other tools to the rest of your value stream with Tasktop.