Are speed and security mutually exclusive?
Here’s a situation that is likely familiar to you if you work in enterprise IT. The need for strong security practices is more pressing than ever, with known vulnerabilities growing exponentially, and nearly half of companies having experienced a data breach in the last two years. At the same time, organizations face demands to deploy software faster, and more frequently.
IT executives consistently identify cybersecurity and speed among their top priorities. Both have major implications for the business and put increased pressure on IT teams. Unfortunately, these objectives seem to be at odds. How can you move both faster and more securely?
The security problem
The current state of cybersecurity offers much to worry about. Security breaches continue to become more frequent and more expensive. In a 2019 study of the state of vulnerability response, Ponemon Institute reported a 17% increase in the volume of cyberattacks over the previous 12 months, with organizations spending an average of $1.4 million each year on vulnerability management.
Hackers have grown increasingly sophisticated, benefitting from advances in machine learning and artificial intelligence. And the unfortunate reality is that they have an advantage — even one unremediated vulnerability leaves your organization exposed. The larger and more complex your infrastructure, the broader the attack surface, and the harder it is to protect.
The need for speed — and the security speed bump
Accelerating time to market and responding quickly to customers’ needs are mission-critical for just about every organization. This has implications for all areas of the business, but perhaps none more than the IT team. A 2019 McKinsey report underscores this point, noting that “Digital innovation has become central to the full range of business transformation initiatives.” CIOs and CTOs are on the hook to modernize infrastructure and deliver increased agility.
One of the greatest perceived barriers to achieving this much-sought-after agility? You (probably) guessed it: security. McKinsey’s research shows that “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.” Accelerating development and delivery leaves less time for code review, which often translates to poor security outcomes.
From mutually exclusive to mutually beneficial
While there are some clear incompatibilities between speed and security, they are not, in fact, mutually exclusive; they can actually be complementary.
As Puppet’s 2019 State of DevOps Report shows, organizations at the highest stages of DevOps evolution also have the greatest confidence in their security posture. This is not a coincidence; the principles and practices that drive good outcomes for software development — culture, automation, measurement, and sharing — also lead to good security outcomes. The companies that have seen success in both areas tend to adopt a few common practices:
1. Involve security teams early and often
This is not a new idea, but without it, there is little hope of achieving both speed and security. When development, operations, and security collaborate throughout the software delivery lifecycle, all parties benefit.
Leaving security review until the final stages of design and development often results in delays and costly fixes. A study by IBM System Science Institute found that it costs 6 times more to fix a bug found during implementation than to fix one identified during design; 15 times more if it’s identified in testing; and 100 times more during regular maintenance once the code is in production.
Development, operations, and security teams should collaborate on threat-modeling exercises, evaluating infrastructure from the perspective of a hacker. Understanding which assets would be the greatest targets, and identifying weaknesses and potential access points, helps build a solid line of defense.
2. Know your network
Proactive security requires, of course, an awareness of the vulnerabilities that pose a risk to your infrastructure; but without a full picture of your network, a list of vulnerabilities won’t do much good. You can’t protect a machine that you don’t know exists.
Puppet Remediate makes it easy to see what you have and which systems are most vulnerable. Through integrations with common security scanners — Rapid7, Tenable, and Qualys — Puppet Remediate displays a real-time dashboard of all vulnerabilities impacting your network. Threats are prioritized based on infrastructure context, which takes into account the criticality of a given vulnerability as well as the number of systems impacted.
3. Automate vulnerability management
A degree of automation is essential in any modern IT organization, but many companies still depend on manual processes for key security measures. Manual work is particularly problematic when it comes to vulnerability remediation.
The majority of breaches are a result of known vulnerabilities that have not been addressed. In many cases, failing to remediate them isn’t for lack of trying — a 2019 survey by Ponemon and ServiceNow found that companies spend an average of 443 hours per week managing vulnerability response. And yet, as the number of vulnerabilities and the means of exploiting them grow, it’s virtually impossible to manually prioritize and remediate in a timely fashion.
This problem is compounded by manual data transfer between security and IT Ops teams. Typically, security uses a scanning tool to identify vulnerabilities, then exports a list and emails it to IT Ops. This static data is only updated when another scan is performed and another list is handed over. In the meantime, the operations team is left in the dark.
With Puppet Remediate, vulnerability data from your scanner is automatically surfaced in a dashboard, eliminating lag time associated with manual handoffs and providing a single source of truth for security and IT Ops. Rather than sifting through a spreadsheet of hundreds of vulnerabilities, the operations team can filter by severity and prevalence and tackle the greatest risks first. Vulnerabilities can then be remediated directly from the dashboard, via agentless tasks that allow you to manage packages and services and run a shell command.
Accelerating software delivery has obvious (and potentially negative) implications for your security practice, but it is possible to find a middle ground. Inevitably, there is some upfront work required to shift entrenched team dynamics and incorporate new tooling, but the end result is well worth the investment.
Simone Van Cleve is a product marketing manager at Puppet.
- Learn more about [Puppet Remediate] (https://puppet.com/blog/enhanced-dashboards-available-in-puppet-remediate-1-2/).
- Get more tips to [accelerate your organization’s digital transformation] (https://puppet.com/resources/whitepaper/accelerate-digital-transformation-with-an-infrastructure-as-code-strategy/).
- Check out this collection of sessions from Puppetize PDX on [patching best practices] (https://puppet.com/blog/patch-management-best-practices-insights-from-puppetize-pdx/).