Integrate AppSec for a True DevSecOps Culture
With developers and security teams pushing themselves for quicker production times, higher velocity and increased cost savings, I’ve found that one way to achieve all of these objectives is by creating a DevSecOps culture in your organization. If you’re currently viewing security as individual, one-off issues or in a reactive fashion, you’re putting your system at serious risk for an attack – with huge cost implications. And while some companies see developers and security as teams who operate best when they’re working separately, many have discovered that integrating AppSec into DevOps will actually improve their performance at every level. Here’s how to get started: Overcome resistance to change I’ve found that “not wanting to change” is usually the biggest reason organizations are hesitant to integrate DevSecOps. Change takes time and effort. Developers and security must work together, and there tends to be a learning curve on both sides. Developers need to learn how vulnerabilities are introduced into the development process, and the security team needs to understand coding to provide examples (e.g. input sanitization, parameterized SQL inquiries). Be aware of the time this takes, but be assured that it’s worth it. Foster a culture of openness DevSecOps is a true cultural shift dependent on communication, and you’ll be selling the concept short if you look at it any other way. By having an open flow of communication between your development and security teams, you’re promoting a culture of collaboration and continuous learning which is necessary when integrating functional areas. One helpful tip is to develop use and abuse cases. These provide illustrative models of not only how an application can be appropriately used, but also where ‘bad actors’ can exploit the application. Make security your default setting With more high-profile security breaches than ever, sustainable security needs to be top of mind. After all, a crucial part of DevSecOps culture is having security integrated within all DevOps practices. Conduct regular scans, risk assessments, and penetration tests, and don’t forget: the majority of successful cyber attacks happen due to human error. Encourage developers to become security-aware Once developers see how vulnerabilities can be exploited in real time, it’s very easy for them to understand the importance of application security. I've seen this many times when working with developers; once you sit down with them and start performing a penetration test, or demonstrate concepts like cross site scripting, SQL injection, or command injection, they understand the implications and want to produce secure code. Sometimes it just takes a little collaboration with the security team to help accomplish this. Once security is integrated into DevOps you’ll see the time-to-production speed up. Having security as part of the development process reduces the need for additional penetration testing, as well as dynamic and static analyses to ensure the security of the application. With DevSecOps, it’s easier to spot vulnerabilities much earlier, so you can avoid costly delays. Having an integrated team means developers can write secure code from the beginning, and the security team can spend more time on key initiatives like vulnerability management and endpoint security. Achieving a fundamental shift in your DevOps approach can seem overwhelming, but by integrating AppSec, and therefore prioritizing collaboration and openness, you’ll soon be reaping the benefits that accompany a DevSecOps culture. About the Author: Joe Sullivan is a principal consultant at Rural Sourcing in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute. NEED HELP? LET'S TALK!
Cyberattacks Never Stop: Why Penetration Testing Should Always Be on Your Radar
Microsoft. Facebook. Capital One. These are just three out of the long list of corporate behemoths that have fallen victim to cyber security breaches in the last year alone. And now, with hackers actively targeting essential services providers, no one is truly safe. What can your organization do to avoid becoming a victim? The answer is simple: penetration testing. What is penetration testing? The National Cyber Security Center describes penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques an adversary might.” A penetration test attempts to exploit any vulnerabilities in your system, and add context to what the risk is to your organization. There are five different types of penetration tests: white box (the hacker is provided with a small amount of information ahead of time regarding the security target), black box (also known as a blind test, where the hacker isn’t given any information ahead of time), internal (the hacker completes the test from within the organization’s network), external (the “attack” is carried out from a remote location to go up against the company’s external facing technology), and covert (a test where no one in the company knows that it’s happening). The types of tests your organization will need depends on the regulations you’re subject to, and the goals you have for the test. No matter what type of penetration testing your organization undertakes, below are my top five reasons why you need it sooner rather than later. 1. To test the effectiveness of your security controls Part of the process of establishing a formal information security program is using an industry recognized framework. The most popular frameworks are NIST 800-53, the NIST CSF, and the CIS Controls. As organizations adopt these controls and frameworks, it’s a good practice to have a penetration test performed to test effectiveness of the implemented controls. 2. To test the effectiveness of your incident response team A penetration test is a great way for organizations to test their incident response team’s ability to respond quickly and efficiently after a potential cyber emergency. This can be done by performing an unannounced penetration test to simulate an actual cyber incident, or by working with the team in what’s called a Purple Team engagement. Purple Team engagements involve the penetration testers working with the incident response team while walking through an actual attack to determine where improvements can be made. 3. As part of a third-party attestation statement of your security program In some cases, an organization will need to satisfy the requirements of a client or partner’s vendor management program. In cases like these, the partner or client may request proof that their network and systems are secure. A penetration test can be performed in order to provide that verification in what’s known as a third-party attestation statement. 4. To ensure compliance with regulatory requirements and security frameworks Companies subject to regulations such as PCI, GLBA HIPAA, and SOX are periodically audited to ensure they’re in compliance. In these situations, a third-party auditing firm will perform a penetration test based on the corresponding regulatory requirements. After the test is complete, a report is provided to the client, which may be requested by the regulatory governing body for review. 5. To discover vulnerabilities in software or web applications that you’ve developed. Organizations that develop their own software or web applications should be performing penetration tests as part of the development process, and further down the road, too. This is especially true for web applications. Some organizations will have a penetration test performed when the application is first launched, but fail to test after further updates and configuration changes have been made. It's those subsequent updates and reconfigurations that often lead to a compromise of the application. If you’re using third party code, modules or plug-ins for a web application, you may not be making updates or configurations to your web application, but the providers of those third party solutions may be introducing vulnerabilities in their products that you’re completely unaware of. This is why regular penetration testing is so important for web applications. Penetration testing is one of the best ways to assess your company’s vulnerability to cyberattacks. By engaging in one of the five types of this crucial testing process, you’re able to protect your company from a potentially debilitating attack. The longer you wait to take this necessary precaution, the longer your system is susceptible. Contact us today to take the next step toward digital security. About the Author: Joe Sullivan is a principal consultant at Rural Sourcing in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute. NEED HELP? LET'S TALK.