By Miju Han, Director of Product Management at HackerOne
As a Director of Security, it’s your responsibility to create an environment that encourages security, making the day-to-day measures much easier.
How do you create programs designed to deliver security at DevOps speeds? How do you stay ahead of coding errors that can cause large amounts of damage? Do you share what you’ve learned with others or keep it secret?
The Art of Continuous Security
“Continuous security” may seem like a strange phrase. Nothing is 100% secure. No one silver bullet exists that keeps all systems everywhere impenetrable. But that’s not the main goal with continuous security.
Continuous security is a defined process that allows you to know what is happening in your environment and react quickly to it. It uses smart automation to make security the default. You make security an intrinsic part of your applications without stopping development teams from delivering quickly.
The use of the term “art” in the chapter title is deliberate. Security in a DevOps environment is often more an art than a science. There are concrete aspects, such as metrics to measure test coverage or policies to prevent rogue servers or buckets. But how much test coverage is enough? 70%? 80%? And who should have authority to create servers, all admins or a select few?
These are decisions that have to be made. You can get advice from hundreds of articles on the internet, but the final decision is yours. You make it and you have to live with it.
The best guideline to use is your customers. What will it take to make sure your software is trustworthy? Your goal should be to build software your customers will trust. Often, vanity metrics or minimum thresholds only deliver minimum security. Being trustworthy takes much more than just meeting the minimum.
Build a Culture of Security
Culture is like the personality of a company. It’s the operating environment of a company. The values, mission, and attitude of a company and its employees.
Security has often been a background process, like scanning for vulnerabilities or performing a vulnerability assessment before deploying to production.
That’s not enough for continuous security.
Your developers should understand basic application security principles. They should be trained to understand exactly what processes exist and why. Allow them to spend time with the security team, learning what to look for and what applications look like through the security team’s eyes. Allow the security team to spend time with the developers. Learn what security processes get in the way and eliminate them.
Give developers the freedom to experiment. Trust that they want to do the right thing, then verify. When mistakes happen, help solve the problem without placing blame or punishing whoever made the mistake. Instead, fix your systems so the same mistake can’t be made again.
Make security worth something. Give $200 to the developer who reports a strange VM running in the cloud or fixes a nasty vulnerability without the security team having to ask first. Reward the marketing employee when she reports a phishing email, even when no tests are ongoing.
Build security in as much as possible. Common security features, like authentication and authorization, should be built into reusable development frameworks. Build servers with automated scripts based on a known secure template. Make security easy. Someone should have to work hard to build an insecure system.
Introduce the entire company to what your security team does and why it’s important. Fun events like security expos give you the chance to demonstrate what attackers can do if they succeed in breaching the company. Show a day in the life of a security engineer or incident response engineer. Tell the security team’s story, entertain your visitors. If it’s memorable, you’ll have less friction when you need to introduce new policies or standards.
Above all, make your customer the focus. Build your culture around delivering the best service to your customers—not just keeping the lights on, but becoming trustworthy stewards of their data.
Building a culture takes time, but is well worth the effort. Security has become everyone’s job. Make security easy. Make it fun. Make it worth something.