Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Seventy Percent of Firms Sacrifice Security for Faster Innovation

Software Vulnerability Trends

Software Vulnerability Trends

As IT infrastructures have become more complex, certain specialist functions have developed their own niche requirements connected to but separate from mainstream IT operations. Prime examples would include development, security and network. Over the years, these niche requirements have become siloed and less efficient than they should be.

In more recent years there have been attempts to break down the silos to re-integrate the functions with mainstream IT operations — and the concepts of DevOps, NetOps and SecOps, and the more nuanced DevSecOps, have evolved. The umbrella term is xOps. In all cases the purpose is to improve speed, agility, and efficiency of the niche functions through better integration with IT operations, and the process has frequently proved very successful.

However, the degree of efficiency achieved is entirely dependent on the success of reintegrating the functions with IT operations — and this is not uniform. Lehi, Utah-based automation firm SaltStack, has launched a new series of survey reports examining the current state of xOps, and starting with an examination of the state of SecOps. (SecOps differs from DevSecOps. The former is the overall security of the infrastructure and its data, while the latter is an attempt to build security into the development phase of new applications to avoid having to bolt security on after deployment.)

SaltStack’s ‘State of XOps Report, Q2 2020’ (PDF) queried 130 verified infosec and IT leaders during January 2020. This is against the background of Gartner’s 2017 prediction that through to the end of 2020, 99% of vulnerabilities exploited will be ones already known by security and IT professionals. “A number of recent breaches indicate system misconfiguration and unpatched, known vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, are the most common cause of data exposure and successful exploits,” adds Alex Peay, SVP of product and marketing at SaltStack.

The implication is that if the vulnerabilities are known but not fixed, there is a lack of adequate collaboration between the security and IT teams. This is confirmed by the SaltStack survey. Only 54% of security leaders say they communicate effectively with the IT professionals, while a mere 45% of the IT professionals agree. While both figures are worrying, the difference also suggests over-confidence by the security team in their ability to communicate, and/or IT’s willingness to listen.

Despite this, there is a basic understanding of what should happen. For example, both security and IT managers agree that data protection should be prioritized over innovation, speed to market and cost. The reality, however, is different in practice — only 30% say this happens. A full 70% say their company sacrifices data security for faster innovation. Peay, told SecurityWeek that the cause is probably complex: “a bit of the operations team self-pressuring to complete work as quickly as possible, a lot of pressure from above, and perhaps some personality clashes between Sec and Ops.”

It is, however, a problem that needs to be solved and one that the SecOps concept isn’t yet solving. SaltStack believes the problem may lie in the different details of responsibility between the two teams. “IT operators have the mandate to rapidly innovate and push new products to market while maintaining infrastructure reliability,” says the report. “Security pros are tasked with identifying security vulnerabilities and compliance issues. The shared responsibility of taking action to remediate security issues and enforce compliance often falls between the cracks.”

These cracks may be amplified by the lack of a cross-group process that ties the two teams into working together and collaboratively. It’s a suggestion that is supported within the detail of the survey. Where cross-functional collaboration and automation tools are used, the managers are four-times more likely to say that the IT and security teams communicate effectively.

Advertisement. Scroll to continue reading.

This is further emphasized by a common dislike of certain tasks (both groups hate patch management, security hates threat prioritization, and IT hates compliance audits), while both groups agree automation unifies the work of SecOps enabling team collaboration and efficiency. The implication is that automation that covers both Sec and Ops transcends the natural differences between the two groups, and can make the concept of SecOps successful.

The patching problem has been amply illustrated by recent vulnerabilities within SaltStack’s own Salt product. Two vulnerabilities were discovered by F-Secure and responsibly disclosed. SaltStack patched the vulnerabilities before F-Secure went public; but F-Secure made the point that a competent hacker would take no longer than a day to develop an exploit. Patch by Friday or be breached by Monday it warned. And it was right. Breaches based on these exploits began to be reported over the weekend.

“There are simply not enough skilled humans to secure digital infrastructure at scale without the force multiplier of security operations automation and improved collaboration among teams,” says Peay. “Automation and collaboration are proven to be the difference between a breach, or truly secure digital business.”

Related: Driving the Convergence of Networking and Security 

Related: SecOps: The Roadkill Victim of DevOps’ Need for Speed 

Related: Security Automation is About Trust, Not Technology 

Related: Advancing DevSecOps Into the Future

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.