Secure software by working smarter, not harder.

Many organisations are challenged in their ability to hire and retain high performing security teams due to an extremely competitive market. 

There’s a massive skills gap in cyber security, and this is acute for skills in cyber security and software.  Some estimates cite 3.5 million unfilled jobs in cyber security around the world, with other estimates stating one-in-three jobs in the US are unfilled.

Like any industry, this then means that there’s a flood of new workers that have moved into cyber security, and organisations that would have previously demanded 8+ years experience in certain jobs will now take someone with much less experience.

When scale meets speed, the growing gap of software security

In particular, the roles that require key technical skills and those involved in application and cloud security.  This is at a time when the scale of security and increase in software releases means organisations have more security checks and reporting to perform.

It used to take months to create and release new software releases.  Now modern software development techniques measure the time between software releases into the hands of customers in hours.  Gartner has suggested that 90% of enterprises, previously perceived as the slowest to act on software releases, now want to release new updates daily.  

Agile, DevOps, the ability to spin up cloud systems almost instantly, micro services, and others have put the software teams in the driving seat, given them the keys, and accelerated at full speed.  This is great for digital transformations and the pace of business change.  

Business Analysis and management can ask for some new functionality and get it quickly.  The business race then becomes which organisation can create the coolest new features, ahead of their competitors, or catch up on that feature their competitor has just promised to push out.

This is where scale kicks in because no mid to large scale company is just working on one feature.  Enterprises have thousands of applications under their management, and each could have many upgrades and new features on the go.  

Don’t let something like security get in the way

But hold on - all these new releases and features will be code changes, yea?  Those changes will process sensitive data, be subject to regulations, run on new configurations, and more - don’t we need to make sure they’re secure?  Certainly regulations such as GDPR and PCI DSS agree they should be secure - see our blog on "Security Testing as agile as you are".

However, as stated above, we don’t have enough security folks, and even if we did, it’s likely they wouldn’t have the time to run all those manual security checks for each of these releases?  

Automation and Orchestration is the answer

This is why, for the last 20 years, the software security industry has been moving more and more towards automation.  It used to be that we would manually review code for SQL injections, now there’s a multitude of vulnerability scanners that can do this for us.

Security automation really comes in three different forms:
  1. Commercial: There are many paid for security tools that invest heavily in logic that will scan code, check containers, send bad traffic to a running web server, poke a database.  These will have further features to perhaps track bugs and produce reports.
  2. Open Source: These free tools will have varying degrees of scope (i.e. scan for lots of things or one specific thing) and usability (fancy user interface, or a command-line job and outputs that take skills to interpret).
  3. Custom, bespoke scripts:  Off the shelf commercial and open source checks will not find those awkward security issues that could only apply to that one web app, or your companies standards.  Is that page supposed to be visible without TLS?  Can the US team view the European data?  Is the Admin user supposed to approve mortgages?  How can we check all our apps are logging with the correct format?  These tend to have quick scripts written to speed up repetitive and repeated checks, but where do they report to?

When it comes to what your testing, that again spreads the conversation into many types of tools.  Are you using a web server scanner but not checking cloud configurations?  Is your network well checked, but containers are left to their own devices?  Does that expensive security tool that the other team licensed effectively scan the new Ruby, or Go, or Javascript projects your team is creating?

The days of using one tool to check an entire application are gone, thanks to the diversity of the tech stack each application, which may contain a combination of different languages, cloud environments, web servers, data stores, containers, microservers, and other aspects.  Any one of which could change and result in security flaws.  This further extends to the many teams you will have, each of which may use different combinations, flavours, and versions of platforms, web servers, databases, etc.

The ‘Security vs Business’ Choice

Our industry has come to a point where simply being able to run the automated security tools is, in itself, part of the skill of a security team or personnel.  With more and more releases, from many projects, this diversity and scale becomes a blocker for releases. 

It becomes a choice, either we don’t release this cool feature as quickly as our competitors, or we close our eyes and run the risk that we won’t introduce any security issues, and they’ll not get breached.

This is the fault of security as a whole, our industry has said that security has to be applied and adhered to, without providing cost effective and scalable methods by which security can keep up with the speed of development releases. 

Automate and orchestrate the automation

Allow automation and orchestration to remove many of those manual tasks security teams are performing. The Uleska Platform comes with built-in integrations for many of the popular commercial and open source security testing tools, and is extensible for your custom scripts.

Stop repeated tasks such as setting up testing, interpreting results, alerting teams, communicating fixes to development teams, and reporting metrics and risk to stakeholders from consuming your security team resources. 

The Uleska Platform automates these tasks for web apps, cloud systems, containers, microservices, and many more.  It further provides extensive configuration and extensibility, to fit into your security programs. Taking those repeated, automatise manual tasks away from their day to day jobs so they can concentrate on adding more value in other ways.  Allowing your security personnel to security test smarter, instead of harder.

Continue reading

Subscribe to our newsletter for great cyber security resources and news.

No spam!