Rattling DevOps Could Patch Cyber Security Gaps



Dan Gunderman
11/29/2017

The world of cyber security is both profound and unrelenting. The arena is massive, meaning threats intensify, evolve or transform every day. Does the longtime “perimeter” approach to enterprise and consumer security need to follow suit, and look inward for more stability?

Between the rigorous demands laid on our smartphones, the proliferation of cloud computing and a soaring network of interconnected devices in the “internet of things” (IoT), the security landscape looks far different than it did just a decade ago.

Because of the sheer number of interconnected devices, and a sharp demand for optimized products and software, there is a footrace to the market. Does this leave gaps in security that can be patched from the inside out?

According to Bain Capital Ventures Managing Director Enrique Salem, in a piece written for GCN, the foundation of cyber security must be rattled so that developers can begin addressing vulnerabilities from the outset – in the development and operations (DevOps) phase. This approach differs from the timeworn system of data encryption and device security, which locks in data and erects firewalls, but might be ignoring embedded issues.

The layering of multiple security tools has, in fact, cost some top-tier companies dearly – hitting both their reputations and bottom lines. These mega-breaches are likely to continue while cyber criminals bully their way into systems. This trespassing has arguably become easier in a world of mobile applications and cloud-based systems.

Salem writes that “baked-in” security could be the remedy cyber security needs, as it reels from high-profile breaches like Equifax or Uber. The emergence of infrastructure-as-a-service (IaaS) and the cloud has harmed the previous method of hardware purchases and software-as-a-service (SaaS). Mobility initiatives and the growing IoT network are even helping curb the once standard office environment. This means more access points and more data streams perhaps left defenseless.

See Related: Incident Of The Week: MS Office Has Been Vulnerable For 17 Years

As this transition has taken hold, cyber criminals have grown from lowly hackers to nation-state actors, hacktivists and organized crime members, etc. This means their objectives have been modified, their goals loftier and exceedingly more malicious.

So vulnerable code is certainly no way to reel everything back in. Yet, according to the Global CRASH Report from software analysis firm CAST, there is a startling amount of unsecured code in use. The report analyzes 1.03 billion lines of code in 1,850 apps from 325 organizations across eight countries.

Salem also draws upon the Equifax hack and WannaCry ransomware attack as prime examples of security gone wrong. With regard to Equifax, the consumer credit reporting agency’s former CEO has reportedly said in the wake of its massive data breach that it was due to a tech staffer who failed to ensure that software had been repaired. Meanwhile, WannaCry targeted a known vulnerability in Windows – something Microsoft had released patches for months earlier.

Salem describes the current system as “agile development,” meaning the incubation process may be rushed in the DevOps stage. This means coding might also be expedited. To counter this, security must take precedence and also move at the pace of development. This is only possible with the emergence of new tools. Said tools would help ensure that code is secure from the outset.

See Related: CISOs: Is Cyber Insurance On Your Radar?

While easy to diagnose, profound shifts in the space are often difficult. Yet, with the right aptitude, security professionals might be able to change focus, slightly, to think about protection from the interior, instead of just working tirelessly to repel a blitz of different threats.

This could mean code analysis becomes a stricter part of software development. The measures must ensure prime visibility when updates are to be made. Visibility goes even further, Salem writes, including understanding all software functions (inputs/outputs, interfaces and open source libraries).

This would likely be a system that builds strength and of course safer software – especially if its code analysis tools are able to pinpoint potential vulnerabilities from the get-go, before the solution potentially fails a consumer or enterprise professional.

The discussion hearkens back to the security world attempting to understand sophisticated cyber criminals instead of truly understanding its own weak spots.

For the enterprise specifically, this is something a CISO-type should keep on his or her radar, as measurable shifts in software production could mean a safer, padded enterprise operation.

These days, data is a commodity and IT staffers are tasked with protecting it. Certain programs can also be harnessed to deny various services. So, protection in this space would be made easier if gatekeeping tools were released that could spot vulnerabilities before cyber criminals coerce, exploit and spread their venom.