The cybersecurity world often resembles a race against time. Organizations have a finite amount of resources and limited runway to find and fix bugs in code before malicious actors can discover and exploit them with damaging results.
The way to best minimize this exposure is to fix bugs before software has been deployed into cloud native or other environments. This means catching potentially fatal flaws as code is being written using tools that continuously integrate and scan in-process. It is an approach that represents a “shift left” in the DevOps world, a practice in software development where problem prevention is the priority versus detection after the fact.
“When we think about where security lives, it is either a blocker to deploying in production or it lives long after code has been deployed to production and there’s a security team constantly playing catchup,” said Joni Klippert (pictured), founder and chief executive officer of StackHawk Inc. “They’re looking at it months after software has been deployed and then hurrying to assess where the bugs are and trying to get that back to software developers so they can fix those issues. Shifting left means software engineers are fighting those bugs as they are writing code or in the continuous integration/continuous delivery pipeline long before code has been deployed to production.”
Klippert spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during theCUBE on Cloud event. They discussed the need to bake security into the development process, separating the “noise” created by a large number of security vendors to protect code, the use of dynamic application security, and the value of penetration testing in the enterprise.
Understanding software development
The “shift left” approach offered by Klippert and her firm is a form of baking security into the development process rather than trying to bolt it on after software has been deployed into production. The case for baking in security is hard to oppose, especially as news of escalating ransomware attacks or a major breach make headlines on nearly a weekly basis. It is also hard to do.
“It isn’t trivial, and, in my opinion, there aren’t a lot of tools on the market that actually make that very easy,” Klippert said. “Because of lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. You really have to have a lot of empathy and understanding for how software is built and how software engineers behave in order to get this right.”
That level of empathy for the job of a software developer extends to issues within the cybersecurity industry itself. As threats have mounted, so has the noise surrounding numerous products that claim to offer the silver bullet for security protection in the enterprise.
“There were 1,300 venture-backed security companies since 2012 focused on selling to CISOs and Fortune 2000 companies,” Klippert noted. “It is a mess; it’s so noisy. Nobody can figure out what anybody actually does.”
Filtering out the noise
The concept behind StackHawk’s approach is dynamic application security testing, or DAST. This testing is applied against a running version of an application, searching for security bugs that could be identified by a malicious hacker. The goal is to filter out the noise and identify the critical issues that would be worth the time to fix.
“Limit the noise; make it as easy as possible,” Klippert said. “You make the tooling work so that it works for the software engineer and their workflow. Make sure that we only show the most critical things that are worth an engineer stopping what they are doing in terms of building business value and going back and fixing bugs.”
One of the security techniques in common use is penetration testing, a form of ethical hacking where organizations will deliberately attempt to breach internal systems as a way to find security flaws. Penetration testing is a growing market, forecasted to expand to $4.5 billion in four years, but Klippert advises that additional scanning may be needed to get deeper into potentially serious security flaws.
“Pen tests are important, and everybody should do them, but that should not be the introduction to these issues that are also easy to automate and find in your system,” Klippert said. “Run StackHawk in an automated fashion on your system, and then give the configuration and most recent results to your pen tester and say: ‘Go find the hard stuff.’”
Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of theCUBE on Cloud event.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.