Examples of devops focuses a lot on
provisioning and deployment configuration. Rarely mentioned is security, even
though there is likely no better example of why devops is something you should
be doing. That’s because aside from challenges rising from the virtual machine
explosion inside the data center, there’s no other issue that better
exemplifies the inability of operations to scale manually to meet demand than
web application security. Attacks today are persistent and scalable thanks to
rise of botnets, push-button mass attacks, and automation.
Security operations, however,
continues to be hampered by manual response processes that simply do not scale
fast enough to deal with these persistent threats. Tools that promise to close
the operational gap between discovery and mitigation for the most part continue
to rely upon manual configuration and deployment. Because of the time
investment required, organizations focus on securing only the most critical of
web applications, leaving others vulnerable and open to exploitation.
Two separate solutions – DAST and
virtual patching – come together to offer a path to meeting this challenge head
on, where it lives, in security operations. Through integration and
codification of vetted mitigations, persistent threat management enables the
operationalization of security operations.
A New Operational Model
DAST, according to
Gartner, “locates vulnerabilities at the
application layer to quickly and accurately give security team’s insight into
what vulnerabilities need to be fixed and where to find them.” Well known
DAST providers like WhiteHat Security and Cenzic have long expounded upon
scanning early and often and on the need to address the tendency of
organizations to leave applications vulnerable despite the existence of
well-known mitigating solutions – both from developers and infrastructure.
Virtual patching is the process of
employing a WAF-based mitigation to virtually “patch” a security
vulnerability in a web application. Virtual patching takes far less time and
effort than application modification, and is thus often used as a temporary
mitigation that enables developers or vendors time to address the vulnerability
but reduces the risk of exploitation sooner rather than later.
Virtual patching has generally been
accomplished through the integration of DAST and WAF solutions. Push a button
here, another one there, and voila! Application is patched.
But this process is still highly
manual and has required human intervention to validate the mitigation as well
as deploy it. This process does not scale well when an organization with
hundreds of applications may be facing 7-12 vulnerabilities per application.
Adoption of agile development methodologies have made this process more
cumbersome, as releases are pushed to production more frequently, requiring
scanning and patching again and again and again.
The answer is to automate the
discovery and mitigation process for the 80% of vulnerabilities for which there
are known, vetted mitigating policies. This relieves the pressure on security
ops and allows them to effectively scale to cover all web applications rather
than just those deemed critical by the business.
AGILE meets OPS
This operational model exemplifies
the notion of applying agile methodologies to operations, a.k.a. devops.
Continuous iterations of a well-defined process ensure better, more secure
applications and free security ops to focus on the 20% of threats that cannot
be addressed automatically. This enables operations to scale and provide
the same (or better) level of service, something that’s increasingly difficult
as the number of applications and clients that must be supported explodes.
A growing reliance on virtualization
to support cloud computing as well as the proliferation of devices may make for more
interesting headlines, but security processes will also benefit from operations
adopting devops. An increasingly robust ecosystem of integrated solutions that
enable a more agile approach to security by taking advantage of automation and
best practices will be a boon to organizations struggling to keep up with the
frenetic pace set by attackers.
No comments:
Post a Comment