This is the second in a three-part series on continuous security.
In our previous post we outlined Jits philosophy behind continuous security, and how elite and modern engineering teams who will embrace this approach will actually increase velocity despite common misconceptions around security bogging down engineering.
Security is here to stay and needs to be embedded early. Weve learned this from shift left, which is already proving to not be early enough, and born-left security is now an emerging practice embedding security as early as the first line of code.
However, applying this in practice requires some realignment of process and practice. By identifying fixes that can be made immediately and prioritizing the rest, we can then create a good framework and baseline security posture to maintain and improve.
When we talk about continuous security, it also consists of a few pillars that will help bring security closer to engineering practices and unleash the true potential of developer-owned security.
These pillars include:
We spoke about this briefly in our previous post, but to unpack this more deeply, lets take a look at what elite engineering looks like, and what security can take from this approach. When we talk about the metrics that quantify elite engineering, there are two primary categories DORA looks at: speed and safety.
With the continued evolution of the attack surface and sophistication of exploits as the stakes get higher with each breach, safety must stop being an afterthought in engineering. While this is usually quantified in metrics such as change failure rate (CFR) and mean time to restore (MTTR), another extremely important focus gaining more and more centrality in engineering processes is security risk management.
But this begs the question: Why hasnt security been a native citizen in development processes until now despite all of the efforts to shift it left and farther left, and even make it born left.
This is because of the entire mindset of security is issue-driven, versus the engineering mindset is fix-driven.
Lets take a look at the DORA safety metrics, that are measured in CFR and MTTR. Even if you have introduced failure into your systems (where CFR measures how often this even happens), MTTR measures how quickly you can introduce the fix and restore your systems, which are largely regarded as metrics that define elite engineering teams. However, security tools today only introduce noise with the many issues they flag, and very few tools take a fix-first approach.
The most common OSS tools in use today are laser-focused on detection and much less on remediation. Even those that provide guidance for how to fix the issue, rarely point you to the exact line of code to fix.
Engineering teams focused on high velocity arent interested in what is wrong. Theyre interested in how to fix it when it has gone wrong (theyll reserve the what happened for the post-mortem or the sprint retrospective). Resolving the issue becomes the highest value in software delivery.
DevOps and automation have introduced best practices and eventually even playbooks that can be automated with the most common failures.
If we start with the first pillar of continuous security, security as code (SaC) is aligned with developer workflows and provides fixes to known problems throughout the coding process. Even more importantly, it also provides extensibility since security is codified and therefore programmable, which ultimately allows people to manage their own custom risks and processes.
Security orchestration is achieved by evolving remediation processes to be more automated, batch-oriented and simpler. Finally, continuous monitoring serves to ensure no new threats are introduced, and those emerging threats in running services are rapidly caught and mitigated.
While the fix-first mindset enables us to not introduce new issues, this doesnt negate the specific effort and resources you should dedicate to continuously reduce your security debt of existing critical issues. Which is the orchestration part of it.
By aggregating similar issues and processing them as a batch, you can achieve greater security efficiency and minimize your backlog more rapidly (many security products now take this approach.). Continuous monitoring and security orchestration go hand in hand, as once you are aware of existing problems and discover production issues, a good automation process will help mitigate these risks more rapidly than former processes.
This is similar to fixing a breach in a boat. You start by making sure to fix the hole before removing the water. Once you can nail down the mechanism for fixing new issues as they come up and instill a fix-first mindset, it is then possible to decouple this from the effort of fixing existing problems and automating this process as well.
Yet, this is basically where security fails. A laundry list of vulnerabilities simply doesnt do the job any longer.
While visibility and observability are the first steps to fixing failure, understanding how to actually follow through and fix issues rapidly will be the true measure of making security a first-class citizen in engineering and delivery, and then automating whats possible and prioritizing the rest.
Great, so hows that done?
Once we understand this fundamental mind shift, we can reverse engineer how to go about applying a fix-first approach to security for modern engineering processes where the primary goal is to ship code to production as rapidly as possible with security already embedded.
In our previous post, we discussed the three core pieces to making this possible: differentiation, prioritization and remediation. Below well take a deep dive on how to apply this in your engineering practices right away.
Lets talk about current security gating and where this can be optimized, automated or moved to the backlog when necessary. When we talk about continuous integration and deployment, the typical diagram includes Build >> Test >> Release >> Deploy.
To this, over the years, weve added layers for pre-coding, coding and post-deployment so this now looks like: Plan >> Code >> Build >> Test >> Release >> Deploy >> Run / Operate
To each one of these phases we have tried to embed security as seamlessly as possible, and this has had some successes and some failures.
One of the great successes of the DevSecOps approach was embedding security checks in a way that is code-centric, and in a place that in any case has other gates, during the pull request (PR) (with different controls for build, test and release).
This made it possible to include actionable security fixes into other code and bug fixes, while still in the same context of engineering that same piece of code. Its a method that has proven highly effective for embedding security into code early, and before merging and deploying code to production.
What has proven less successful are the ways that security vulnerabilities have been handled at runtime both at the level of the cloud provider infrastructure and the application. The common practice for this layer is to run these checks on a predefined schedule and alert the DevOps or cloud engineer to any issue (during the run/operate phase). This is completely decoupled from any engineering process, and often leaves this area in no mans land or opens the door to creating infrastructure drift. The same type of problem occurs with security findings discovered against the runtime application.
Once the code is deployed and running in production, tracking down the code owner is difficult and bringing them back into this piece of codes context, even more so. Infrastructure security issues that arise after the fact are a common contributor to infrastructure drift, as many times engineers prefer to make changes in the console or UI instead of through infrastructure as code. This would require the code to be redeployed through the regular pipelines and checks and adds other humans to the process.
The other half of it is even when debugging is done in production, many times due to the urgency of the fix, these changes also often bypass code gating as well. This also assumes that the fix is simple and detection as well, where in reality neither of these is true. Rarely is a solution provided as code, as these have the tendency to be error-prone and complex solutions. And even if it is, the fix is not always straightforward and easy, although more than ever there is a need for shift-left practices for runtime as well.
This commonly happens because after deployment there is no longer real clarity regarding ownership, and scheduled checks are decoupled from any ongoing engineering process. Therefore, if an alert arises, the engineer will want to deal with it as quickly as possible, and manual changes or drift will only be detected upon the next scheduled run. That can be hours, days or weeks away when another engineer is on call.
A good practice would be to move these checks and controls into the same code-centric gate the PR and ensure that at the very least they are caught upon first deployment to staging, so as not to reach production again while the engineer who wrote the code is still in context. This will make it possible to ensure that there are no alerts or issues with the infrastructure and runtime of choice.
To take this further, there are security measures we can take as early as the coding itself through in-IDE security alerts and pre-commit hooks to help embed security as early as possible into our products and systems.
The code-centrics aspects are the easy part. They are often already implemented in security-minded organizations, where each PR is viewed as a new security delta from existing code.
For the non-code centric changes, such as infrastructure changes, IaC and even config as code and to be even more accurate and clear, these include both changes in the code that lead to non-code issues, such as a change in IaC has some consequences in the infrastructure runtime, or a change in the application code that can lead to non-code issues in the runtime it is slightly harder. But it is not impossible to find a good framework for defining a baseline and to ensure this is maintained with every deployment or environment change.
Anything that doesnt fall into these two categories of immediately fixable issues are treated as backlog fixes, and go through the prioritization and remediation framework we define based on their severity, fixability and ability to be automated and orchestrated.
Examples Include:
These are just some of the parameters that affect our prioritization and decision-making around issues in our backlog.
Continuous security is possible by breaking down the formerly daunting domain of security into developer-centric language, tools, workflows and processes. By delivering security as code, the automation already possible in other engineering disciplines is also now possible in security. Once we identify the areas we can automate, its possible to achieve true security orchestration basically the automation of workflows and not simply one-off tasks. The final piece is to ensure we are constantly maintaining this baseline security posture we have defined and achieved, through continuous monitoring and grooming of our security backlog.
In our next post, well dive into how the adoption of this approach benefits CISOs as well and share the CISO perspective that demonstrates how formerly opposing views are now converging into a single worldview that has, until recently, been a source of friction and frustration in many engineering organizations. All of these together will be the enabler of engineering velocity, making it possible for CTOs and CISOs alike to deploy rapidly and with confidence.
Go here to read the rest:
Continuous Security, the Next Evolution of Developer Velocity - thenewstack.io
- Days of our Lives' Suzanne Rogers on the Evolution of Maggie: "She Knows Who She Is Now, and She's Not Relying ... - Michael Fairman TV - March 14th, 2024 [March 14th, 2024]
- Kylie Jenner Talks About Her Style Evolution - The Cut - March 14th, 2024 [March 14th, 2024]
- Equator Coffees Unveils New Packaging Design, Reflecting Brand Evolution & Vision For The Future - Sprudge - March 14th, 2024 [March 14th, 2024]
- Rosewood Hotel Group Accelerates Growth And Evolution Across Its Four Distinctive Brands - Hospitality Net - March 14th, 2024 [March 14th, 2024]
- Thomson Reuters Unveils New Brand Evolution - Adweek - March 14th, 2024 [March 14th, 2024]
- Is It Becoming Acceptable to Speak of Design? - Discovery Institute - March 14th, 2024 [March 14th, 2024]
- Did Charles Darwin Convert to Christianity and Discredit Evolution on His Deathbed? - Snopes.com - March 14th, 2024 [March 14th, 2024]
- Milk, it's not just for mammals: An amphibian makes it too - NPR - March 14th, 2024 [March 14th, 2024]
- Discover Puerto Rico Debuts Evolution of Its Successful 'Live Boricua' Brand Campaign Aimed at Engaging Visitors ... - Yahoo Finance - March 14th, 2024 [March 14th, 2024]
- A Journey Through Time: The Evolution of Ras Al Khaimah Art - Business Wire - March 14th, 2024 [March 14th, 2024]
- Empowering Women: The Evolution and Innovation of coto Social Platform - CXOToday.com - March 14th, 2024 [March 14th, 2024]
- The Evolution of Da'Vine Joy Randolph - The Root - March 14th, 2024 [March 14th, 2024]
- Study on mating behaviors offers clues into the evolution of attraction - Phys.org - March 14th, 2024 [March 14th, 2024]
- Dragonball Evolutions live-action Goku says goodbye to Toriyama: Sorry we messed up - AS USA - March 14th, 2024 [March 14th, 2024]
- Investec, evolution of SMEs in the materials handling sector - Leasing Life - March 14th, 2024 [March 14th, 2024]
- Pride & Prejudice and the evolution of the female gaze on screen - Yahoo News UK - March 6th, 2024 [March 6th, 2024]
- Joe Wong's Musical Evolution - Shepherd Express - March 6th, 2024 [March 6th, 2024]
- A global survey of prokaryotic genomes reveals the eco-evolutionary pressures driving horizontal gene transfer - Nature.com - March 6th, 2024 [March 6th, 2024]
- Redefining Intelligence: Chimpanzees Break Through the Cultural Evolution Barrier - Medriva - March 6th, 2024 [March 6th, 2024]
- Mollusk Eyes Reveal How Future Evolution Depends on the Past - Quanta Magazine - March 6th, 2024 [March 6th, 2024]
- Levy Delves Into the Evolution of ADCs in NSCLC - OncLive - March 6th, 2024 [March 6th, 2024]
- The Snake Is The Spearhead of Reptile Evolution, But Why? - ScienceAlert - March 6th, 2024 [March 6th, 2024]
- 'A very special day: Birds linked to Darwins theory of evolution reintroduced to Galapagos Islands - Euronews - March 6th, 2024 [March 6th, 2024]
- Why the Powerhouses of Cells Evolve Differently in Plants - College of Natural Sciences - March 6th, 2024 [March 6th, 2024]
- Driving the DevOps Evolution: ArgoCD, Tekton and Seamless Migrations - DevOps.com - March 6th, 2024 [March 6th, 2024]
- Finding the Balance: The Evolution of Public Health Guidance Amidst Controversy - Medriva - March 6th, 2024 [March 6th, 2024]
- Insider Podcast: Paolini dishes on her Polish roots and hard-court evolution - WTA Tennis - March 6th, 2024 [March 6th, 2024]
- Interview: Sara Gruen and Rick Elice Talk About the Inspiration and Evolution of the New Musical Water for Elephants - TheaterMania.com - March 6th, 2024 [March 6th, 2024]
- The Evolution of the Laravel Welcome Page - Laravel News - March 6th, 2024 [March 6th, 2024]
- A Serpentine 'Explosion' 125 Million Years Ago Primed Snakes for Rapid, Diverse Evolution - Smithsonian Magazine - March 6th, 2024 [March 6th, 2024]
- The Evolution of Modern Technologies in Car Development - FinSMEs - March 6th, 2024 [March 6th, 2024]
- Milwaukee Transformed: From Bronzeville to Veterans Park, Aerial Timelapses Reveal City's Evolution - BNN Breaking - March 6th, 2024 [March 6th, 2024]
- The eyes are a gateway to evolution of daddy longlegs at least. - University of Wisconsin-Madison - March 6th, 2024 [March 6th, 2024]
- Adrian Newey: RB20 is the next step in Red Bull's design evolution - PlanetSport - March 6th, 2024 [March 6th, 2024]
- LiveScore releases its 'Evolution of Fan' report - Gambling Insider - March 6th, 2024 [March 6th, 2024]
- The loyalty program evolution makes its way to the full-service restaurant category - Nation's Restaurant News - March 6th, 2024 [March 6th, 2024]
- Teenage Mutant Ninja Turtles: The Last Ronin II - Re-Evolution #1 spoiler-free review: goes hard on the action, but ... - Gamesradar - March 6th, 2024 [March 6th, 2024]
- Exploring U.S. Financial Evolution: DAR Hosts Talk on Federal Reserve History in Thomasville - BNN Breaking - March 6th, 2024 [March 6th, 2024]
- Why cloud evolution needs a cohesive approach to succeed - CIO - March 6th, 2024 [March 6th, 2024]
- Gilead Sciences CEO on Company's Evolution and Commitment to the Bay Area - BioSpace - March 6th, 2024 [March 6th, 2024]
- Navigating the AI Quandary: Human Supremacy vs Machine Intelligence Evolution - BNN Breaking - March 6th, 2024 [March 6th, 2024]
- Denis Villeneuve breaks down the evolution of sandworms in 'Dune: Part Two' - Mashable - March 6th, 2024 [March 6th, 2024]
- Continued evolution of law improves governing capacity - Chinadaily.com.cn - China Daily - March 6th, 2024 [March 6th, 2024]
- The Evolution of the DEX Space with dYdX's CEO Antonio Juliano - Blockster - March 6th, 2024 [March 6th, 2024]
- Quick Commerce Evolution: 3PL Firms Aim for Same Day Delivery, Chasing Blinkit and Zepto's Lead - BNN Breaking - March 6th, 2024 [March 6th, 2024]
- What If...? Star Jeffrey Wright Addreses the Watcher's Evolution and 'Epic' Season 2 Finale - CBR - Comic Book Resources - December 31st, 2023 [December 31st, 2023]
- Evolution of the Connected Autonomous Vehicle - Ward's Auto - December 31st, 2023 [December 31st, 2023]
- A project to capture the evolution of human culture. - Psychology Today - December 31st, 2023 [December 31st, 2023]
- The Evolution of a Digital Soul. Beyond Code: A Journey of Heart and | by Mark Randall Havens | Dec, 2023 - Medium - December 31st, 2023 [December 31st, 2023]
- 4 Clues That Reid Is Finally Returning In Criminal Minds: Evolution Season 2 - Screen Rant - December 31st, 2023 [December 31st, 2023]
- Evolution of Samoyed and Kitten's Friendship Delights Internet: 'Wholesome' - Newsweek - December 31st, 2023 [December 31st, 2023]
- Crypto Evolution: Pullix (PLX) vs OKB (OKB) & KuCoin (KCS) - Crypto Reporter - December 31st, 2023 [December 31st, 2023]
- Alfa Romeos mediocre F1 season heralded its era of evolution: Prime Tire - The Athletic - December 31st, 2023 [December 31st, 2023]
- Beyond The Uniform: 10 Years of Evolution in SYNC Performance's Custom Program - SkiRacing.com - December 31st, 2023 [December 31st, 2023]
- Why SZA's evolution into a popstar has earned her recognition as artist of the year - Salon - December 31st, 2023 [December 31st, 2023]
- AI in 2023 Rises, Falls and Evolution - Finance Magnates - December 31st, 2023 [December 31st, 2023]
- Indonesia's Indosat pursues evolution from telecom to tech company - Nikkei Asia - December 31st, 2023 [December 31st, 2023]
- EdTech Evolution: 3 Stocks Educating the Next Generation - InvestorPlace - December 31st, 2023 [December 31st, 2023]
- Informa Tech Interview with Huawei about voice evolution and innovations at 5G Core Summit 2023 - Informa Tech ... - Light Reading - December 31st, 2023 [December 31st, 2023]
- Looking ahead: What will the DeFi evolution look like in 2024? - Ledger Insights - Ledger Insights - December 31st, 2023 [December 31st, 2023]
- Why Cat Bohannon wrote 'Eve, How the Female Body Drove 200 Million Years of Human Evolution' | India News ... - IndiaTimes - December 31st, 2023 [December 31st, 2023]
- The smart-design evolution of the laboratory space - pharmaphorum - December 31st, 2023 [December 31st, 2023]
- The WILD Evolution of Teenage Mutant Ninja Turtles TMNT (VIDEO) - FandomWire - December 31st, 2023 [December 31st, 2023]
- The supernatural invades American museums via indigenous artifacts - Why Evolution Is True - December 31st, 2023 [December 31st, 2023]
- Baleen Whales First Evolved Large Body Size in Cold Southern Waters, New Fossil Shows - Sci.News - December 31st, 2023 [December 31st, 2023]
- The Evolution of Identity in Taiwan The Diplomat - The Diplomat - December 31st, 2023 [December 31st, 2023]
- From the Archive: The Evolution Of Hockey Pools - The Hockey News - December 31st, 2023 [December 31st, 2023]
- 'X-Men: Evolution' Is Better Than 'X-Men: The Animated Series' - Collider - December 31st, 2023 [December 31st, 2023]
- Unveiling the Silver Screen: The Evolution of Celebrity Nudity in Cinema - The Hype Magazine - December 31st, 2023 [December 31st, 2023]
- Are Humans Still Evolving? 'Maybe More Rapidly Than Ever,' Says Scientist - Newsweek - December 31st, 2023 [December 31st, 2023]
- The Intersection of Real Estate and Fintech: Evolution, Impact of Policies, and Global Dynamics - CXOToday.com - December 31st, 2023 [December 31st, 2023]
- Kyle Richards' Style Evolution: Her Best Looks - Us Weekly - December 31st, 2023 [December 31st, 2023]
- Criminal Minds: Evolution Season 2's "Deeper Secrets" Teased By Aisha Tyler - Screen Rant - December 31st, 2023 [December 31st, 2023]
- Saturday: Hili dialogue Why Evolution Is True - Why Evolution Is True - December 31st, 2023 [December 31st, 2023]
- NBA 2K24 MyTEAM New Year Resolution Adds 14 Evolution Cards - ClutchPoints - December 31st, 2023 [December 31st, 2023]
- dive into the history of NASA's logo evolution from the space ... - Designboom - November 8th, 2023 [November 8th, 2023]
- Resolving the puzzle of same-sex sexual interactions - Nature.com - November 8th, 2023 [November 8th, 2023]
- The History and Evolution of Black Friday And How It Got Its Name - Yahoo Life - November 8th, 2023 [November 8th, 2023]
- Evolution of Terran R, with Tim Ellis (Relativity Space) - Payload - November 8th, 2023 [November 8th, 2023]
- Brownell Raves About Breakout Junior's Evolution - The Clemson Insider - November 8th, 2023 [November 8th, 2023]