Detectify security experts are speaking with security managers and operational defenders daily. There’s a clear division on how a modern and mature organization will approach security compared to the compliance-first organizations that are playing whack-a-mole to lock down the perimeter. Security transparency is one of the differentiators.
Rickard Carlsson, Detectify CEO, was recently on Enterprise Security Weekly (jump to interview) to talk about the paradigm shift happening in security and we’re bringing you insights from the perimeter-less world of appsec in a multi-part series.
First up, challenging security transparency to drive innovation in the cloud.
Modern and security-mature orgs are likely running DevOps:
DevOps is all the rage, and if you are a SaaS company, likely, you’re already doing DevOps or aiming to do it. DevOps is focused on continuous delivery of development and activates a tech team’s ability to build fast, learn from it and improve it on a consistent cycle, aka SCALE. According to StackOverflow’s annual survey, 43.8% of respondents say they have colleagues dedicated to DevOps, and nearly half at 48% think it is essential to scale software development.
Rickard on the pace of DevOps:
“… When you are operating in a DevOps team, production and pre-production could be considered the same thing because it is just 15 minutes apart. You don’t have a testing cycle for three months… and everything moves so much faster.”
Rickard goes on to say that the difference here is the collaboration between Engineering and Security. This is where modern and secure-mature companies can set themselves apart. There is the flow of awareness and knowledge, governed differently from in more “traditional” companies.
The traditional approach is keeping you from innovating:
If security is holding back development, this is not helping your company with scaling and could prevent the next big thing from being discovered and embraced by end users.
From what he’s heard from executives, Rickard says it can come from a lack of trust and worry over how security information can be exploited, but the truth is, there could be someone else outside of your organization with that same information. Having it in the hands of those on your side – team members or ethical hackers – can only increase the likelihood of improving the status quo.
Rickard on executives and security that are falling behind:
“(some executives tell me)…I want to test things pre-production for security, but I don’t want to give my developers access to the results because they might use it against us.” If this is your approach, you’re doing security in the old way, and you’re going to limit your business’ opportunities at innovation.
It’s not uncommon to hear from an executive that’s a bit insecure, and executives think they need to guard this information heavily, but continuing on this path will not move organizational security forward.
How to drive security and innovation
Here are tips for security transparency:
- Make security information available across all products you offer, even if it’s hundreds of products
- Make dashboards available for everyone at the company to view
- Have part of the Executive, team or product management compensation based on product or organizational security – not just the CISO.
To show or not to show results?
The tips are bold, and this is how we see the leading tech companies innovating and securing today. The leaders see transparency as a necessity for innovation and so they give the teams access to vulnerability information. They break the rules of least-privileged access and make it available to as many as possible to activate learning and collaboration, and bring relevant products to market. So now you may need to ask yourself, “should we show or not show results? What’s going to make us better for tomorrow?”
Are you in the Change my mind mode and open to a paradigm shift to more integrated and collaborative security? Check out the full interview of Rickard Carlsson on Enterprise Security Weekly – Collaboration Rules! Challenging Transparency in Modern App Sec – Rickard Carlsson – ESW #225:
How does Detectify help with security transparency?
Detectify is trusted by leading SaaS companies to continuously check appsec and detect business critical vulnerabilities. We collaborate with some of the best ethical hackers in the world to power vulnerability scanner with crowd-based research. This means sourcing actively exploited vulnerabilities that are actually interesting to fix, and things you didn’t even think were possible.
This is way more than version testing and the OWASP Top 10. Curious to see what Detectify’s automated hacking will find in your websites? Start a free 2-week trial.