Under Attack?
Search
Menu

How to Move Security Up the DevOps Priority List

By Ben ZilbermanJuly 17, 2019

If you are in the information security business like me, you have probably improved your frequent flyer status recently. Indeed, May-June are when most industry events occur. Like birds, we fly when spring arrives.

In this blog, I’ll share some thoughts based on conversations I had during my own journeys, including those at the global OWASP conference in Tel Aviv, Israel.

The audience was mostly split between developers and researchers, and then me, supposedly the only marketing guy within a mile radius. Since the event was held in Tel Aviv–an information security innovation hub–the vendor/customer ratio was higher than usual.

DevOps Least Favorite Word is “Security”

According to Radware’s C-Suite survey, 75% of organizations have turned information security into a marketing message. Meaning, executives understand that consumers are looking for secure products and services, and actively sell to that notion.

But do developers share the same insight, or accountability?

By nature, information security is the enemy of the agile world. In an age where software development has shifted from 80% code writing and 20% integration to 20% code writing and 80% integration, all DevOps have to do is assemble the right puzzle of scalable infrastructure, available open source modules and their end-to-end automation and orchestration tools for provisioning, run-time management and even security testing.

[You may also like: Are Your DevOps Your Biggest Security Risks?]

In other words, there’s no need to start from scratch today. Being familiar with more tools and how to efficiently navigate in Github (and other open-source communities) can yield more success than coding skills. Moreover, it yields faster time-to-market, which seems to be everybody’s interest.

Agility is the Name of the Game

As I mentioned, the global OWASP event attracted many vendors. However, will pitching ‘best of breed security’ do the trick? If you are the only one that can block rare attacks that only sophisticated hackers can carry out, is there a real business opportunity for your start-up to grow?

Well, DevOps says no!

And they are right. Running applications in the public cloud is all about efficiency and scale. Serverless and micro-services architecture fragment monolithic applications to components that are created, run and vanish without any supervision or visibility of the developer. It is done via end-to-end automation where the main orchestration tool is Kubernetes.

[You may also like: DevOps: Application Automation? The Inescapable Path]

This is agility.

Building Secure Products and Services

Both efficiency and agility are legitimate business objectives. Why would security interfere with their list of ‘what if’s?

Ironically, success doesn’t depend on how well an application security solution detects and mitigates attacks. It correlates better with how well the solution integrates into the SDLC (software development lifecycle), which essentially means it can interoperate with these orchestration and automation tools.

Before building security features, vendors should think of hands-off implementation, auto-scale, zero to minimal day-to-day management and APIs to exchange data with other tools in the customer environment.

[You may also like: How to Prevent Real-Time API Abuse]

Once all that is in place, it’s time to proceed to security and start building the algorithmics of the detection engines and mitigation manners.

Keep in mind security can’t be static anymore, but rather dynamic and evolving. Solutions must be able to learn and profile the behavior of traffic to the application and create policies automatically, adjusting the rules overtime when changes are introduced by the dev side. This is key for CI/CD because the last thing they want to hear about is going back to the code to reassess and test its logic, because every wrong decision translate to either a customer left out (false positives), or an attacker allowed in (false negatives).

Self-sufficient algorithmics reduces TCO significantly by reducing the required management labor – a plague in old application security solutions.

To auto-policy-generation DevOps says yes, and allow the executives to market secure products and services.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Posted in: Application SecurityTags:

Ben Zilberman

Ben Zilberman is a director of product-marketing, covering application security at Radware. In this role, Ben specializes in web application and API protection, as well as bot management solutions. In parallel, Ben drives some of Radware’s thought leadership and research programs. Ben has over 10 years of diverse experience in the industry, leading marketing programs for network and application security solutions, including firewalls, threat prevention, web security and DDoS protection technologies. Prior to joining Radware, Ben served as a trusted advisor at Check Point Software Technologies, where he led channel partnerships and sales operations. Ben holds a BA in Economics and a MBA from Tel Aviv University.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?