The busy security leader’s kit to scale security with modern software development
As a security leader charged with protecting your organization, do you sympathize with Damocles?
You may think, “He’s got it better...there’s no blindfold and it’s just one sword!”
Blindness to cloud native risks isn’t your fate! There are dozens of open source solutions that can help you fix security issues before they drop.
The place to start is with the obvious risks that are embarrassing to miss at best – or worse – subject you to the fate of Damocles.
In this blog post, learn about ways to detect three types of security issues to reduce your cloud native security risk.
1. Secrets you wouldn’t tell a soulIdentify secrets found in source code. These are the small set of unambiguous and un-addressed secrets materializing in your code repositories.
They are knowable, discoverable and considered unacceptable to let loose. If found in production by the bad guys, researchers and or auditors, it will be tough sledding to escape unscathed.
This problem isn’t going away in development nor production. Just look at this article on the 4,000 S3 buckets found last August that were full of secrets impacting public and private companies – resulting in class action lawsuits.
While there are many pros to OSS secrets detection tools, it is important to pick those that don’t create too much noise with false positives. For security teams – only critical alerts (in the aggregate) with minimal false positives should arrive in their inbox or Slack.
After all, you don’t want them to get up out of their chairs every five minutes to poke at some unsuspecting developer or member of your team to only find out it’s “yet another false positive!”
2. Containers from the Death Star signed by Darth Vader
The bad guys are rooting for you to ignore your nasty images. It’s a force multiplier for them in that one image equals many (if not hundred or thousands) deployments.
It’s a problem that is easily solved if you can find the images primed to escape. If you continue to see a trend of inaction, that is your cue to take action. Your supply chain security capabilities may be failing.
With the advent of the Solar Winds hack, your board is already questioning you about how you control for supply chain risks – and your container images are a gateway to potential evil. Your response should be that you are personally on top of this and monitoring daily for unaddressed risks. Anything less may be interpreted as passivity.
3. Infrastructure that shouldn’t see the light of day
Scan the servers, application code, container images – anything and everything. It’s what security teams do. We take pride in knowing what we have and what state it’s in...thus we scan ad nauseam.
So, why aren’t security teams religiously scanning their infrastructure as code (IaC i.e Terraform, CloudFormation, etc.) to find problems before they can be deployed into production (IaC i.e Terraform, CloudFormation etc)? Shouldn’t we scan the stuff that defines cloud services and hence our largest attack surface?
Yes! Particularly since scanning IaC is the most efficient and cost effective way to eliminate cloud configuration vulnerabilities before they’re deployed.
Finding and fixing critical configuration vulnerabilities before they are deployed, as opposed to after, is a must. The challenge is that security has no leverage with development. Asking development teams to let security scan for problems is disruptive, and developers have varying knowledge of open source tools to do the testing themselves.
Some may argue that scanning deployed cloud services is good enough using CSPM tools. The problem with that approach is that once deployed in production, whatever your scanner can see, the bad guys may see too.
Shifting Security Checks to Developers to Scale Security
The challenge isn’t the individual technologies, nor is it merely about these three types of checks. It’s about you as a security leader being on top of your cloud native security capabilities and using them to your advantage.
When you can help developers easily conduct assessments early in development, they can identify and fix any issues themselves without having to go through the security team. Best of all, fewer security issues make it through to production, where they can affect your customers. It also saves the security teams from having to work with developers to fix the problems.
This is what we’re helping customers do with our platform, Soluble Fusion. The platform orchestrates security assessments for developers so they can easily scan and get direct alerts about problems – like exposed secrets, container image issues, and IaC misconfigurations – and fix them before committing or updating any code.
The developers can run these assessments within their workflows themselves without being bothered by security. For security, we can help you roll out consistent tools to developers, gain visibility into assessment status, and automate sending alerts directly to developers for efficient remediation.
We help customers reduce the incidents making it into production – reducing work for security teams and eliminating the need to hunt down developers for rework. We also also provide records for compliance, and a way to set up policies to prevent future mistakes.
We’re happy to show you how it works. Contact us for early access.