InfoSec Are Our Friends, Not Food
You’ve spent days, maybe even weeks, working on some new feature or an entirely new project. Things are going great and you’re ready to release your latest revision. Not so fast though, have you ran that new library you used pretty much everywhere past InfoSec?
Uh oh…
We’ve all been there, and this is one of those moments that could have been avoided. No, not by getting rid of pesky InfoSec people. But by actually working with them. And if you’re telling me that is impossible, I’m guessing you always avoid them until it is too late. But what would happen if you started talking to them at the beginning of your project?
A lot of what stops the use of a new application, library, or tool from InfoSec is not that it’s vulnerable. It’s that InfoSec wasn’t given any time to research if it is vulnerable or not. So they have to tell you no. Both of you might know that it’s safe. But there are still permissions that needed to get approval, and InfoSec has to say no because it is their trust on the line if you accidentally use something vulnerable.
But you’re agile you scream! We have a DevOps team! We’re supposed to work fast and break things! Sure, but if you’re following DevOps practices, you should have been communicating with InfoSec during the planning phase. Did you include them in planning meetings, or at least send them the invite? If you aren’t involving them in a planning then this on you that they are denying your requests to use your favorite tool.
Even if it isn’t possible to have them in every meeting, there has to be a way to give them the ability to approve or disapprove of something without actually being there. That is where Vulnerability scanners come in handy. by having a tool in place, you can have InfoSec setup a series of rules that can be ran against most things. These rules can be configured to simply allow or deny a tool, or pass this along to a gate that would require an actual person to do some leg work.
Tools like Nexus IQ, BeyondTrust, Swascan, or SRC:CLR. Each tool comes with varying degrees of complexity, thoroughness, and cost :) Once again, don’t just pick a tool and tell InfoSec later. Talk with them, they might already have a tool in place or have something in mind but have been waiting on you to ask!
