Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. We hosted this Session featuring a group of CXOs and other IT executives. The group met remotely to discuss shifting left and incorporating hacker-powered security into SDLC, led by the CISO & VP of IT Security, Data Protection & Compliance for a hotel & casino resort organization. This Session was sponsored by HackerOne.
Securing your business in today’s world requires much more than investing in modern tools and technologies. Hackers are becoming more and more sophisticated, and the only way to keep them at bay is to walk in their shoes, put your white hacker hat on, and try to infiltrate your system. Run penetration testing, vulnerability scans, and go through all the routines a potential hacker may use. Shift security left until it reaches the first stage of your SDLC. Incorporate security flaws early, design security-first applications, and save your business a lot of time, effort, and money.
A senior IT executive said that while performing vulnerability assessments and penetration testing, it’s important to view your infrastructure “with different optics.” You must have a 360° view of your business and all its assets. They added that we need to break through the firewall-based mindset, as it’s no longer enough. Just because you have a firewall with strict predefined rules doesn’t mean that your network is protected. You need to consider each asset and evaluate how or who can have unauthorized access to it. While doing penetration testing, you have to assume that someone is within your network. It could be someone with bad intent or someone with more than usual privileges who can cause accidental damage.
A speaker mentioned that previously, their company’s primary motivation to perform penetration testing was to meet compliance requirements. A third party would perform vulnerability scans and hand them pen-test reports that ticked all the compliance checkboxes. They had to explain to their boss the importance of performing a proper penetration test, one that could identify failures in business processes and security gaps. Once they got the approval and performed the test, they were able to find poorly controlled assets and other vulnerabilities. This allowed them to have a larger conversation around security and the need to take a proactive approach. They were able to make a case for an identity management solution, which would improve their security posture and make it easier for employees to log in.
Security can no longer be an afterthought. It needs to be introduced as early as possible in the software development life cycle. Developers must adhere to security guidelines and best practices. Staging and QA environments should support penetration testing. Nothing should get deployed in production before getting pen tested and scanned. Once the application is live, it should be rigorously monitored and audited to ensure no potential vulnerabilities or bugs.
Incorporating security into applications can sometimes slow down the speed of delivery. When asked how to decrease this security vs. speed tension, a participant remarked that you need to educate the non-technical guys within your organization. For example, sit down with your product owners and account managers and tell them, “It’s a lot easier to develop something secure from the start than to do so on the day before you go live.” E.g., If running a vulnerability scan one day before production reveals multiple dangerous libraries, chaos will ensue. However, if you took care from day one, you wouldn’t have used these dangerous libraries in the first place.
An exec from a cloud services provider shared how challenging it can be to explain to customers what they can and can’t do in a multi-tenant environment. He analogized operating in a multi-tenant environment to living in a condo. You can do whatever you want inside your condo, but you can’t touch anything outside it. People often raise requests that can be considered significant security threats, like “I need access to this console” or “I need exclusive rights to this database,” etc.
Attack surface discovery is one of the most important security practices that gets neglected in many organizations. If you don’t know what’s there, you can’t protect it. Not only must you reduce your attack surface outside but also inside. A rogue employee with the correct credentials shouldn’t be able to take the whole business down.