There is a consensus emerging demanding developers to assume more responsibility for security as more organizations embrace best DevSecOps practices and move to the cloud. The trouble is, most organizations aren’t providing the guidance and tools developers need to accomplish that goal. As a consequence, what passes for a DevSecOps strategy for building, deploying and managing workloads on the cloud often winds up being little more than a sermon. Preaching to developers on the importance of being mindful of security can backfire, that developers eventually come to resent. How many developers feel they are being blamed for cybersecurity issues that they can’t do much about?
In the meantime, cybersecurity teams continue to throw lists at developers containing the latest security gaps without any context on what they want developers to accomplish. A global survey of 3,650 software professionals published this week by GitLab, a provider of a continuous integration/continuous delivery (CI/CD) platform, shows security teams believe developers are not finding enough bugs at the earliest stages of development and are slow to prioritize fixing them. More than 42% said testing still happens too late in the life cycle, while 36% reported it was difficult to understand, process and fix any discovered vulnerabilities. Just less than a third (31%) said prioritizing vulnerability remediation is still an uphill battle.
Cloud developers, of course, would beg to differ. They are routinely being forced to choose between adding features or fixing bugs, some of which include cybersecurity vulnerabilities. In the absence of any prioritization, cybersecurity issues become just one more thing on a long list of requests cloud application development teams are struggling to address.
As More Organizations Turn to Cloud, Security With Speed to Market is a Critical Balancing Act
Of course, securing those business-critical applications is a high priority as more companies begin to make workload migrations to cloud. Speed is the enemy of cybersecurity. Cybercriminals are constantly scanning for misconfigurations that, unfortunately, are all too common in the cloud. Ports that are left open create opportunities for cybercriminals to wreak maximum havoc.
Cloud is Reliant on the Right Tools and Defined Best Practices to Achieve Security
Preventing cloud breaches from occurring takes more than just access to tools. IT teams need to ally with security vendors that have a deep understanding of how cloud platforms hosting deployed applications operate. As the largest provider of cloud services on the planet, Amazon Web Services (AWS) has a refined set of AWS security best practices based on knowledge-bases accessible that key IT security vendor ThreatModeler can leverage to ensure time-cost savings on threat modeling for AWS customers.
ThreatModeler incorporates those AWS best practices into the ThreatModeler platform and by integrating with AWS services including AWS Config, AWS Security Hub and others. The end result is a cloud architecture diagram threat model that enables IT teams to identify cybersecurity threats long before an application is deployed. This approach reduces the time and costs associated with creating a threat model for applications deployed on AWS cloud by as much as 85%.
After an application is deployed, AWS Security Epics Automated analyzes the live AWS service environment created from the diagram to further validate whether the appropriate security controls are in place. If any issues arise caused by drift from the original architecture, ThreatModeler alerts developers – via its integration with CI/CD toolchain – the potential severity of any vulnerability discovered. That capability not only provides the much-needed context required to prioritize their efforts, but it also substantially reduces the amount of time it takes to remediate a vulnerability.
AWS values that approach so highly that ThreatModeler has entered a strategic joint offering with Amazon Web Services Professional Services (ProServe) Security and Infrastructure Global (S&I) Specialty Practice (GSP) to enable secure applications to be deployed using AWS services, including AWS CloudFormation, in less than 30 days. The joint offering is titled AWS Security Epics Automated.
AWS Security Epics Automated Ensures Security is an Organization-wide Effort
Everyone involved in building and deploying applications has a vested interest in security. At a time when larger numbers of application workloads are heading into the cloud, the two things DevSecOps now need more than ever are direction and tools. No one wants to discover after the fact that critical data was stolen because an issue was overlooked. This is an organization-wide effort that includes security architects, developers, CISOs and all business functions in-between.
However, as cloud architectures become more complex, it is also becoming impossible to discover every potential attack surface entry point manually. No team can deploy perfect secure code the first time every time. As long as human beings write code, there will be errors. Rather than pretend otherwise, the time has come to embrace DevSecOps tools that provide insight and automation to elevate the cloud security expertise of the entire IT team, rather than simply shifting responsibility for cybersecurity to the left.
Automatically Design, Build and Manage Cloud Security With ThreatModeler
ThreatModeler is a commercial platform that empowers DevSecOps to protect their IT environment and applications through automated threat modeling. With a fraction of the time and cost tied to other threat modeling tools, users can design, build and manage security from development to deployment. Teams can instantly visualize their attack surface, understand security requirements and prioritize steps to mitigate risk. ThreatModeler executes security validation by facilitating a highly collaborative user experience that clearly articulates security posture. CISOs can make critical security-driven business decisions to scale their infrastructure for growth.