Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Good Fences Do Not Make Good Neighbors: How Continuous Delivery Busts Silos for Security

Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle.

Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.

Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.

Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.

Software Development Lifecycle

The organizational “fences” among these teams can leave security practitioners with poor visibility into how an application is constructed from a security perspective. It may start with limited or no documentation of how an application communicates among its various components as well as its various user groups. This causes risk challenges for IT in several ways:

• The handoffs among the various IT teams increase the operational overhead related to security and drive opaqueness among them. This means deployments are delayed, which creates pressure on security teams to meet schedules related to the business.

• More “cooks in the kitchen,” as it relates to the application development cycle, can increase the “attack surface” available to hackers by leaving ports on physical or virtual servers open or ignored by traditional perimeter security technologies.

• Any changes in applications (patches, updates, etc.) will have ripple effects for security teams trying to keep up, which must revisit the impact to both the application as well as the infrastructure.

What would happen if security became part of the development process from day one? What would happen if security adapted to a more fluid, continuous delivery world?

Advertisement. Scroll to continue reading.

The good news is that security is evolving. Gartner has outlined how new Adaptive Security platforms are emerging that treat security protection as a continuous process, mirroring the changes in application development and software-defined infrastructures. Rather than bringing “batch” updates to firewall rules or IDS/APT systems, new adaptive security approaches can both streamline data center security processes as well as reduce the friction among various IT constituencies.

For security to flourish in the age of continuous delivery, it must meet the following requirements:

1. Security policy must be embedded into the application development cycle at inception. This means developers must co-join with infrastructure and security teams to create and instrument policy when they are creating new apps. Just as continuous delivery dissolves the barriers between developers and infrastructure, security will be the next silo to go.

2. Enforcement of security policies must move and adapt with the continuous delivery approach. If new applications are moved between private clouds and IaaS environments, security must move with the applications.

3. Thus, security must be decoupled from infrastructure to support the distributed and fluid nature of continuous, on-demand applications and supporting infrastructures. This provides an added benefit of being able to dynamically add resources on-demand, including security

4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.

While the leadership of the security team in protecting a company’s IP and assets will never go away, the responsibility increasingly must become part of the mission for other IT groups. Perhaps Robert Frost did not have it quite right: good fences do not make good neighbors.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.