This is part 2 in a mini-series about the current paradigm shift in security towards a continuous security approach. Richard Carlsson, Detectify CEO, was on Enterprise Security Weekly to shed light on it and this article delves into the need for velocity to activate this strategy.
Listen to the episode:
From scanning networks to scanning apps
A decade ago, scanning networks once a month was considered a best security practice. Fast forward to 2021 where most things are an app, the velocity at which security happens – especially breaking it – has changed and it’s time to think differently. You need to protect web apps as they’re the new perimeter, but shifting left isn’t enough for appsec. You need continuous security.
Part of this means having the right tools in the right places, and the other part needs security to be integrated in order for it to activate business innovation instead of stopping it.
Going from once a week to every deployment.
The best practice from modern cloud-native leaders is to run security tests using Detectify or another DAST every time something is deployed into production – especially since things can go from staging to production in as fast as 15-minutes. Ya that’s freakin’ fast!
This fraction of time doesn’t seem like a big difference, but new vulnerabilities are also discovered at a similar pace. Currently, the Detectify research team can build actively weaponized payloads from hacker-to-scanner in that same 15 to 25-minutes.
Image: Vulnerabilities exploited within two days of either PoC or exploit code being made publicly available, Q1 2018–Q3 2019 – Source: Fireeye
Fireeye reported that new critical vulnerability exploits are executed within the first 48 hours of an attack made available. Running vulnerability testing at a higher frequency will get you close to the pace of attackers and activate detection in time. Once found, vulnerability information must get to software engineers and development teams fast, and that requires collaboration to execute.
SO, Pause and check: How fast is your team able to bring in breaking security news information and build testing? Can it be improved?
The conventional advice is to shift security left, but this approach still positions security as a potential control checkpoint instead of a collaborative actor. You’ll lose velocity if security bugs are found but not prioritized whether there is not enough knowledge or desire for action. Consequently, it stops innovation from happening.
The cool kids are doing it with velocity
SaaS leaders are powered by collaborative domain driven development teams. They sign, code, ship, iterate continuously on development and security. If security bugs are found, it’s shared with the team right away for a risk assessment and into the backlog. They do it multiple times per day, and there are no major rollout processes. Check out how Spotify dispatches information in their DevOps practice.
Security is like a routine heart rate check, rather than used as a tollgate. Instead of stopping processes, security activates teams with information needed to continuously harden applications. Some bugs might get into production, and what matters most is that they are detected and fixed in time.
View and Download the e-guide to Modern Application Security.
Others remain afraid in security silos
In a less security-agile company, Rickard Carlsson says it’s common to hear that security testing frequency is not frequent at all, the typical answer is, “no, that’s something that we do on an annual penetration testing.”
If you’re in this camp, then you are falling behind the curve. At the rate at which vulnerability information flows, feedback to the software engineers may not reach them in time. It also means you aren’t staying up-to-date with what’s actually vulnerable vs exploitable.
Rickard says, “it is something that is fundamentally broken in this [old-school security] information process.”
Collaborate with external experts for more speed
Remember when we said Detectify’s research team builds hacker knowledge into the scanners in 15-minutes? How is that possible? Detectify leverages a private network of leading ethical hackers to crowdsource research and real hacker payloads into the vulnerability scanners.
You can work with an automated scanner to access ethical hacker knowledge, and complement this by starting a Responsible Disclosure Program that invites research to disclose information to send in more creative findings. This combination is effective to build up continuous security practice and put details in the hands of app owners before they’ve even heard that an exploit was possible.
So if you’re a security director with a need for speed, how do you integrate security?
Shifting left doesn’t necessarily encourage security to be considered on a continual basis into production. To become a more secure and speedy organization, you need continuous security that won’t block, which means:
- ongoing security checks
- constant reprioritization of all bugs
- continuous integration and deployment of the needed fixes.
Without it all, you could end up with a worse security posture if you only keep security on the left.
4 ways to assess security to activate innovation:
- Start by assessing whether security is a controller or an enabler for business development
- Identify where security activities can help people do things instead of just monitoring them
- put less emphasis on shifting left, and implement continuous security in production
- include security improvements in feedback to product development
4 ways to add velocity to your security flow:
- Work with security vendors that implements new security research within an hours of disclosure; or minutes when POCs are shared
- Send immediate feedback from prod to engineering as soon as vulnerabilities are found
- Run continuous security during production to keep track of wild threats
- Source vulnerability information from external experts to save time and gain speed
Rickard Carlsson sums it well:
“it’s a matter of hours until discovered vulnerabilities are being weaponized and scanned over the internet, which means this is the same velocity you need to act on. You need to engrain the whole notion of velocity into security to stay ahead of the curve.”
Ultimately the fast-pace of vulnerability research discovery challenges traditional security. Tech organizations have to get used to the increasing velocity of security if they want to stay relevant and innovate.
How can Detectify help?
image: users rave about our friendly UI, which makes security easier to work with.
Detectify offers cloud-based web application security solutions that streamline vulnerability findings to application owners. Detectify collaborates with ethical hackers to source the latest security research. This means verified results and clearer visibility with less noise. With Detectify you will bring security up to speed and scale with development, and go to market safer. See it for yourself with a free 2-week trial. Sign up today.