News from InfoSecurity 2015
I've just returned from my first visit to InfoSecurity 2015 in London. With the launch earlier this year of Perforce Helix Threat Detection this was a great opportunity to review the state of the cyber-security world, hear about the key challenges facing governments, businesses and individuals and review some of the solutions being offered. This couldn't be more timely as, right when I'm writing this, it has been announced that the U.S. government suffered a serious attack earlier this year which compromised the personal details of thousands of federal employees.
My particular area of interest is the emerging role of security in DevOps. There are a few key aspects to consider:
As a developer what do you need to do and how does that fit with agile and development processes?
As a Release Manager/Operations Specialist/DevOps Engineer what do you need to know to roll out and manage secure applications?
As a Chief Information Security Officer or Risk Manager what is going on in the development and operations areas that I ought to be concerned about?
I haven't got space here to cover all of these topics, but here are a few highlights from the conversations I had at the conference.
Development Managers and DevOps specialists are increasingly aware of the need for secure applications. They are concerned that as release cycle times reduce with the adoption of Continuous Delivery they don't reduce security nor slow down deliveries. Some companies are working out how to do this by involving security experts in the earliest stages of sprint planning and ensuring security stories are “groomed” to ensure they are properly positioned for priority in their backlogs. They're also adopting tools for automated code and application validation. It was interesting to see an increasing number of tools addressing the need for dynamic security testing. Although the term seems to have been around a few years already, there were a number of people talking about “Rugged DevOps” and I think this is an area that will continue to grow.
Security experts, especially those involved in IT audits or risk assessments are busier than ever. Some are aware of the potential risks that may exist in their development organizations but I suspect the majority are not. This is the result of two issues.
Firstly, they may not fully appreciate the value of the software being developed. They know that they need to protect customer and staff personal data, but they don't necessarily realize that the software is actually their company’s competitive differentiator and could be critical if leaked to a competitor.
Secondly there is a lot of technology involved that they don't understand. They may be familiar with firewalls, VPNs, email, etc., but developers often bring tools into the business without their knowledge and these tools, such as Subversion or Git are inherently vulnerable. It's increasingly hard to keep track of business documents in a world full of email, cloud file sharing services and BYOD mobiles, but this technical software content is even harder to grasp.
I saw a number of tools that try to address some of these problems by monitoring network traffic rather than trying to lock down each application. This generates another problem though – if you're monitoring hundreds or thousands of different file types and communications, it quickly becomes an impossible management challenge.
A few tools are trying to address that problem by using analytics to analyze the basic data and infer what looks like suspicious behavior. This helps with the management issue but they still don't understand the context of the data being moved around the organization which makes them inefficient for DevOps.
I didn't see anything that was close to Perforce Helix Threat Detection, which focuses on protecting this valuable IP being created by design and development teams. Because it uses the rich data available from the Helix Versioning Engine it understands the context of the files being accessed. It can not only track that a user may be accessing more files than usual (and most tools can't work out what “normal” means), but it also understands whether those files are in projects they “normally” use or whether they're using the files in ways that are unusual for the user.
I’m really looking forward to the webinar Perforce are hosting on June 16th where the Forrester DevOps Analysts, Kirt Bittner, and Security Analyst, Rick Holland will talk about the issues raised above and the solutions to them.