Security starts at source code — in the cloud.
This article was originally posted to CSOOnline here and this is a cross-post.
For years enterprises have been happily spending billions of dollars on “cyber security” to deal with an ongoing cat and mouse game — corporate IT security.
Here is how the game works: every week a new threat appears, and every week a new feature is released that controls the issue. Security vendors continue to innovate and release a slew of new tactics like endpoint security, malware detectors, crowd sourced analytics and now machine learning to keep up with the rapid pace of threat evolution.
In what is still is a cat and mouse game of “the enterprise playing catch up”, the threats are now so complex and the solutions so esoteric that the typical enterprise follows what others are doing instead of taking a deep look at their own security strategy holistically — who can blame them, everyone is super busy right? To compound it further, mindshare of the CIO still sit in post-deployment security exclusively.
The solution landscape is fragmented (see above); hundreds of companies in dozens of subcategories. It’s a byproduct of point solutions addressing individual threats for post-deployment scenarios. Furthermore, according to the Cisco 2017 Mid-year security report, hackers are taking advantage of the situation:
“The dramatic increase in cyber attack frequency, complexity, and size over the past year suggests that the economics of hacking have turned a corner, according to Radware, a Cisco partner. Radware notes that the modern hacking community is benefiting from quick and easy access to a range of useful and low-cost resources.”
The report merely affirms what the boardroom already knows — the security gap is widening as traditional endpoint, and perimeter based security solutions are no longer enough to protect digital data. Security Incident Event Management (SIEM), Identity and Access Management (IAM) and emerging technologies such as cloud-based malware sandboxes, cloud-based data encryption and web application firewalls are the fastest growing cloud-based security services segments. Yet, all of these solutions double-down on post-deployment scenarios.
Threats persist and are now plaguing Network Operation Centers (NOC) with “Alert fatigue”. Security talent is at an all time low — shortages everywhere, while the demands of the NOC are blowing up. Many security personnel see far more daily alerts than they can investigate, leaving potentially serious threats unaddressed.
There are several causes of alert fatigue. Siloed systems may create duplicate alerts, or teams may not have the knowledge to distinguish between low and high-priority alerts, or false positives. They may lack auditing tools such as auditing that can determine the source of potential threats. There are now so many tools and so many events happening that organizations have started to purchase products to consolidate and filter these events to handle the post-deployment threat crisis. Enterprises are overwhelmed, spending more every year and still losing.
Something is missing
By ignoring the root cause of the issue, vendors are simply stacking more and more software ontop the same post-deployment problem.
We must fundamentally change the lens around the security lifecycle and address the fact that before software grows up — into the products that are deployed and consumed by enterprises — it is born as code. Code is born in version control.
If code is born in version control does it not make sense to detect, mitigate and remediate the security issues at the source — instead of later? If not addressed early on, the code will surely transform into IT backdoors, data breaches and other threats that could be catastrophic for an organization's brand? Just look at the recent release of the Apache Struts vulnerability that affected nearly all Fortune 100 organizations. The simple vulnerability had been sitting there for years.
I’ll use an analogy; what sense does it make to build stronger doors, thicker walls and larger fences around a home when the bad guys are already in the house? Those tactics are important yes, but what is most important is looking at how bad guys were able to enter the house in the first place.
At Assembla we believe in a different approach, which is why we are announcing the launch of our Enterprise Cloud Version Control (ECVC) platform. We believe in holistic enterprise security. We believe in defense-in-depth. Securing code at the point of birth. Not just post-deployment, but pre-deployment as well. For too long have CISO’s ignored their most vulnerable asset their source code — when making security investments.
We are excited about the shift to ECVC and we want to tell the world why it’s an instrumental part of reshaping the lens of how organizations view security of their software while meeting strict compliance standards yet remaining agile in a security conscious software development lifecycle (SDLC) environment. Security does not mean loss of agility or speed — in fact with the Cloud, it means just the opposite.
We believe the world can be a better place if there are less vulnerabilities, less attacks, less people being held hostage by nefarious actors due to software vulnerabilities, and less money wasted on band-aid point solutions. As a community of software developers and service companies it is our job to protect our end customers. Let’s do so by starting with source code security!
Enter Enterprise Cloud Version Control (ECVC)
So why now? More and more enterprises are under pressure to move to the cloud. Competition, budgets and the unrelenting pace of innovation is forcing organizations to rethink on-premise investments. Security takes a back-seat as pace becomes an over-riding KPI to success. It’s time to make a serious push to the cloud and I’ll tell you why.
The cloud is where new services are created. This is where the innovation is occurring and software development teams are taking notice. Productivity and quality can be greatly enhanced by leveraging a myriad of cloud tools in your software development process (SDLC). If you don't’ already know — your developers are probably already doing this —maybe in secret. But what if they could do it without compromising security? What if they could do it as part of your comprehensive corporate IT security strategy?
At Assembla, where I lead technical strategy, we are answering this issue for our customers by doubling down on Subversion (SVN), making major enhancements to the centralized system, and making it available in the cloud. We’ve found that enterprises run on SVN, which powers mission-critical projects with front and center compliance requirements. Until recently, enterprises have been forced to settle for distributed version control and non-trunk based development to get to the cloud.
Whether it be SOC II, HIPAA or the EU’s upcoming GDPR we live and breathe compliance and have built a suite that lets your development move to the cloud while meeting stringent standards.
Secure your code — often
To properly secure your source code you must use multiple techniques. Each technique — static, dynamic, interactive, library analysis, manual review — yields different results for different categories of weaknesses. Consolidating the results from these techniques is tedious and time-consuming.
What if you could automate this during your Agile software code review process so that as code is reviewed by your teams, voted and merged into your repositories, you immediately get feedback on the security posture of any new changes or any new open source dependencies added to your source code? No longer will vulnerabilities sit hidden for months or weeks — or at best until the next white hat hacker reports the issue in production. Find the backdoors in real-time, find them early.
ECVC automatically consolidates and correlates the results of multiple scanners and multiple techniques limiting false positives. ECVC identifies vulnerabilities considered most-critical based on industry standards and regulatory compliance (HIPAA, SOC II, GDPR). It also helps you manage the consolidated results with easy ways to assign and track vulnerabilities for remediation, and report progress in your team. It does this while seamlessly integrating into your development environment; it works smoothly with popular build servers like Jenkins and issue trackers such as JIRA.
Our platform makes the process of securing your code simple. As the weaknesses found are linked to specific lines of code, and are verified by more than one tool — your application security team can take action immediately. Your developers can quickly find the line of codes affected by using our Code Browser and open a task to queue remediation of the issue.
ECVC gives you the power to build secure applications quickly and efficiently. When you commit code to your Assembla repositories, it will automatically run a preconfigured set of open source tools and third-party vulnerability analyzers to find flaws and vulnerabilities based on the languages in your code.
Next, it feeds the results to enterprise dashboards that let you gain insights in your source code’s security posture. Our natively integrated Assembla project management application helps you triage and prioritize vulnerabilities, assign and track their remediation, and monitor the progress of that remediation through the entire bug lifecycle.
If you’d like to join the conversation come check out our brand new website!
Stay tuned for more updates on enterprise cloud version control by following me or get on Twitter to stay up to date.