Taking security challenges from a board-level discussion to a DevSecOps solution

If you are a CIO or a CISO of a large enterprise, you experience first-hand those board-level conversations on strategy and detailed work plans on how to enable Digital Transformation. In particular, board-level conversations focus on how Cloud-native development, Agility and Developer productivity will drive business results. 

In fact, I was fortunate enough to meet with Satya Nadella after Microsoft acquired my previous startup Aorato, and to listen to his cloud-first and Digital Transformation vision.

Two things I learned while talking with executives like Satya and other board members:

1. Most of the executives and board members already acknowledged that their business will be disrupted in the next two to five years.
2. Digital transformation is the key element for achieving competitive advantage, and driving constant growth with greater efficiencies.“Speed is required to stay competitive” GitLab

What we’ve noticed is that enterprises that allow developers to be responsible for the end-to-end delivery are at the forefront of Digital Transformation. In these environments, development teams take the end-to-end ownership across architecture, business logic, data flows, infrastructure and security controls.

They don’t need to “open a ticket” for IT, or manually open the cloud provider UI to fire-up a compute resource, change network structure, add roles or policies, or change the API gateway configurations whenever they introduce a new API – it is all code.

Development ownership is one of the fundamental cultural changes in enterprises, and it’s what drives growth.

This culture change fundamentally affects the way most enterprises work, creating an inherent friction between development, security, and compliance teams, which is challenging the entire security and compliance paradigm.

One of the smartest CISOs I’ve met told me “developers need speed and agility while cybersecurity teams need controls and risk management”. There is no better way of describing this challenge.

The faster developers go – the deeper the problem gets.

“Nearly 83% of our 2020 Global DevSecOps Survey respondents said they’re releasing code faster than ever with DevOps. With the pace of work accelerating, some important details are easily overlooked or underestimated – like security” GitLab

Unfortunately, today’s existing security and compliance tools and processes hold developers back instead of helping them in several ways:

1. Risk assessment and threat modeling tools tend to rely heavily on self-attestation which leads to poor data quality or inconsistent/unreliable identification and remediation of risks. In addition, these tools are not being validated against material code changes that are eventually delivered to production with risks
2. Penetration testing is a labor-intensive process that must be contextual to be able to produce meaningful insights. There are two options to conduct a contextual penetration testing: 1) interview the development teams to identify the material risky changes and focus on those, or 2) manually review Jira tickets to understand the context of these changes. Again, we rely on self-attestation, which leads to less meaningful results.
3. Risk remediation of cloud misconfigurations is made only after the fact and not at the design phase, when you develop your Infra-as-Code. The later issues are identified in the DevOps process, the more challenging and time-consuming fixes become.
4. SAST tools focus only on identifying vulnerabilities! And the reason why they produce a lot of false-positives is because they lack context around developer knowledge and behavior, material code changes, and business impact.
5. Security architects need to manually triage all results while having a deeper understanding of these code changes before deciding what the risk is and how to remediate it.

As a CISO/CIO you need to take a proactive approach to mitigate these challenges. Here are my top 5 tips:

1. First and foremost, to be efficient you need visibility. Build an adaptive inventory that automatically identifies your products across all code repositories, their business impact, internal vs. internet-facing, code components, security controls, data models, licenses, dependencies, developers knowledge, and more
2. Build an efficient, data-driven security champion program – assign developers inside the development team to invest 30% of their time reviewing risky material changes and help others remediating risks at the design phase, before production
3. Stop bothering developers with tedious risk assessment questionnaires, long security and compliance reviews. Automate your governance and assurance, and trigger contextual remediation workflow based on risky material changes
4. Allow developers to remediate the risk by leveraging the knowledge of other developers in the organization. Do this before deployment
5. Build a unified risk profile across developer knowledge, material changes, and their business impact. Use this unified risk profile to decide whether or not to release new changes to production

At apiiro, we use these insights as the basis for our industry-first Code Risk Platform™. We enable security architects, champions, and developers to automate visibility, compliance assurance, and risk remediation with every changeacross applications and infrastructure. Before production.

By doing this, we help our customers be at the bleeding edge of Digital Transformation, helping them securely develop applications faster than their competitors, and achieve business success.

Learn more about our platform