The recent security breaches of high-profile retailers like Target and The Home Depot have sparked an unprecedented awareness of security among the general public, as well as awareness of decision makers in every industry. With this heightened awareness comes an increased willingness to allocate budget funds and other resources toward security projects.
Traditionally, security has received very little attention in most companies. If security protocols exist, they’re often ignored or relegated to someone (with little influence or power) to enforce them. This landscape is changing as more companies realise that breaches can be extremely costly to mitigate and can have long-lasting effects on company image.
Given the traditional bias against security within organisations, it’s become clear that a new approach is needed — an approach that drives a culture of security, rather than one that generates only a set of rules to follow. Without buy-in from both company executives and employees, any security plan will likely fail to attain its goals.
The DevOps Approach
Applying the DevOps approach is one way to move company culture toward security awareness. The approach also increases involvement from executives and employees alike. At its core, DevOps promotes collaboration — the idea that teams are better and stronger together than they are apart.
DevOps normally refers to the development and operations teams within an organisation, but it’s a universal concept that is globally applicable. While each organisation is unique, there are four common factors that will drastically increase the likelihood of success when attempting to foster a collaborative environment:
1. Have a clear goal.
Without a clear goal, it’s very easy to lose focus and end up working on tasks that don’t increase security at all.
When developing your goal, it’s important to be pragmatic and have a well-defined timeline with stated benefits that will be realised when the goal is reached. This goal must be simple and universal so everybody in the company can easily understand the benefits — especially management.
Make your goal specific. Some industries have auditing standards like the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act of 1996, or the Sarbanes–Oxley Act of 2002. If applicable, passing audits like these can be a great starting point. If none of these apply to your industry, you’ll have to develop you own set of standards to work toward, but you can certainly use an existing set of requirements as a starting point.
2. Get everyone on board.
In the case of security, it’s helpful to first get managerial approval before trying to influence departments or individuals. While someone with authority to implement security protocols handles this best, it can also originate organically if a single individual is willing to foster collaboration in his or her own team.
Police enforce, train, and educate, but they’re not solely responsible for ensuring every single driver follows all of the rules, all of the time — that’s the job of each individual driver behind the wheel. Everyone has to be on board and willing to police each other; it’s a team effort.
3. Walk before you run.
Implementing good security is hard. It’s hard on a technical level, and it’s also hard culturally. Realise that you can’t change everything overnight and that allocating resources toward security goals may temporarily slow down other projects.
Changing culture is a slow process; it requires constant incremental improvements to succeed. It’s best to lead by example and attempt to influence your team first. Strive to create a culture that other teams will want to emulate.
To increase security for technical projects, you will sometimes have to strip away a lot of external fluff to reach the project’s core and to understand the best way to secure it. Once the project’s core is secure, it’s much easier to add features in a secure manner.
4. Work in iterations.
Instead of trying to implement everything at once, break each project into smaller pieces that will incrementally increase security. Continually return to the topic of improving security over time. The following are some common problems that can be identified and fixed as small incremental projects:
● Validate inputs. Many applications fail to properly validate user input. This can facilitate SQL injection attacks, causing your application to expose sensitive data. Proper input validation is complex, but standard libraries exist for most platforms and frameworks. Don’t reinvent the wheel by writing your own validation libraries; it’s not worth the risk of missing an important edge case.
● Encrypt everything. Any sensitive data should be encrypted, whether it’s being transferred between systems or stored in a database. This means setting up encrypted connections between systems and implementing encryption libraries for data storage. Stick with industry standard tools because writing good encryption software is hard — even the experts mess up sometimes.
● Increase training and awareness. Training and awareness extends beyond developers and technical employees. Writing secure code is important, but if someone in the organisation falls prey to a social engineering attack, even the most secure systems can be compromised. Awareness training should be scheduled regularly and required for everyone.
● Decrease attack surfaces. Your attack surface refers to the total potential points of exposure of your systems. Installed software, custom code, servers, people, and applications are all potential attack vectors, so you should only expose the components that are absolutely necessary. Old code and systems should be ruthlessly pruned from your environment on a regular basis.
● Plan for failure. Every system needs to be designed with failure in mind. Implementing a firewall is great, but if you allow everything through by default when it goes down, you’re going to have problems. Anytime a system fails, the default state should be to tighten security until the system is restored to normal operations.
● Automate everything. When you automate a process, you remove the potential for human mistakes. This results in drastically increased security for deployments and infrastructure creation. For instance, using configuration management tools like Chef or Puppet Labs to automatically apply security best practices (instead of doing it by hand) eliminate the possibility that something critical will be missed. Automation also saves a lot of valuable time, which helps everyone focus on the bigger picture.
Using these time-tested DevOps strategies is a great way to foster increased collaboration within your organisation while also generating awareness of common security pitfalls and preventing costly security breaches. Track your progress as you implement these tools so you can make a case for even more collaboration in the future.
Andrew Storms is the Vice President of Security Services at New Context , a rapidly growing consulting company in the heart of downtown San Francisco that specialises in Lean Security and helping companies build better software.