While the cloud has been around for a while, countless organizations are still making the transition for digital transformation and attempting to replicate security controls they’ve developed internally within a new architecture. Though cloud providers certainly do a lot to provide strong security measures, many security controls are still up to the user to implement, and as organizations migrate, they tend to pile up a lot of new security debt and potentially introduce critical flaws and vulnerabilities into their environments.
With the cost of integration being the biggest setback for adopting new technologies, cloud providers themselves will continue to improve the state of software and infrastructure security to combat the challenge of building in security from the ground up. As systems are aggressively being migrated to modern architectures, organizations should consider adopting the following technological innovations to support the increased pace of development.
Continuous integration and continuous delivery (CI/CD) is evolving quickly to meet the paradigms of cloud-native software development. Cloud-native CI/CD systems have abstractions for cloud providers and container orchestration platforms, but default settings often require additional security hardening. However, many of the modern security issues emerging are the result of the distributed nature of modern software systems. Attacks such as server-side request forgery (SSRF) are more prevalent due to the increased attack surface and inherent trust relationships between components. It is important that we perform security testing from different angles during development and in production, to ensure we’re exercising as many code paths as possible.
Successful DevSecOps programs require project mindsets to change in terms of security. Project teams, objectives and metrics should be designed to incorporate security. Rather than use metrics to point fingers at who developed insecure code, tie developer objectives to reducing the number of vulnerabilities. This encourages developers to learn how to write secure code and gives them ownership of resolving potential risks. DevSecOps doesn’t just happen; it requires skilled team members working collectively toward the same goals. Rather than apply a robust security solution, work iteratively and build on small successes. This can be lightweight tools with fast feedback loops but ultimately is derived from support across the project to develop better code and applications.
Agile Software Development
As more companies are adopting new technologies, they are also making agile the default methodology for getting work done (even if agile means something slightly different to everybody). Agile software development requires a lot of creativity, communication and collaboration between team members. If implemented correctly, agile decreases communication gaps that exist between security and software engineering teams.
Digital Transformation on Tap
As more and more business groups join the digital transformation revolution, there are immense opportunities to reduce technical debt by leveraging tools and technologies that make your life in security easier. Build repeatable security practices through the codification of security controls within your infrastructure, provide your developers with templates that inject reproducible security properties into your software and systems, and reduce risks through orchestrating security rituals that are traditionally error-prone and require significant skills to maintain.