Why security professionals need to engage with developers [Q&A]
Building security into an application can often be an afterthought for developers, yet building those steps in at an early stage can save companies time and money.
We spoke with Matt Glenn, vice president of product management at Illumio, who shared his insights on why security professionals should be engaging with developers, and why segmentation is becoming a go-to tool for developers to easily implement security into their processes.
BN: Why should developers implement security earlier in their development process? And how does adding security into the DevOps cycle save time and money for organizations?
MG: Organizations are no longer interested in using yesterday's technology tomorrow -- and that's a good thing because yesterday’s processes don't work in the agile world of today. Historically, application security came at the very end of the product development lifecycle. There has been static analysis of code, but generally that too happened at the end of the software development lifecycle.
The issue was silos -- security was in a different group from developers, and an organization's competitiveness was not linked to software development agility. But things have changed.
When developers work hand-in-hand with security in an agile environment (sometimes called DevSecOps) applications are deployed faster, and security stops being the department of 'no' and becomes the department of 'go.' The real question though, is how to do this?
The answer is educating developers on security, and doing this by creating principles to go by in software development. Key to this is segmentation, a technology that assumes breach. An 'assume breach' mentality is the idea of preparing for the worst and creating security policies under the impression that your organization will at some point be breached. When you assume that a breach will happen, then security becomes proactive rather than reactive or detection-based. Segmentation is a base fundamental of a proactive security posture.
BN: What role do developers play in the Zero Trust journey?
MG: Zero Trust is a cybersecurity model founded on the principle to never trust anything inside or outside of a network, and to always verify the authenticity of actors within a given environment. To embrace a Zero Trust architecture, security professionals must engage with everyone on and connected to their network, from company employees to IT administrators. To be effective, all parties must share a mutual goal of distrusting anything within or outside of a given network.
Developers -- when they are writing software -- know what is required to communicate. This enables them to write segmentation policies that implement Zero Trust. This also reduces the cost to achieve Zero Trust because the people that know the applications best are part of that Zero-Trust journey.
However, an organization should still have governance over approvals and provisioning. The principle is Zero Trust -- not trust blindly. I like to put it another way -- trust the developers, but verify that what they did fits the organization's strategy.
While Zero Trust is the end goal, the first step that developers and security professionals can take to make this methodology a reality is to increase visibility into their networks. Visualizing who has access to a company's network helps developers and security professionals understand how to restrict access to the necessary applications. Utilizing software to increase the ability to see who is on the network will help both parties understand what security measures to implement.
BN: How can segmentation facilitate the speed with which developers operate in modern businesses?
MG: With the rise of virtualization, speed became even more critical to IT and a business's competitive edge. The need for speed has brought on the rise of the empowered developer, who wants to deploy applications rapidly without having to think about the network (or wait for security). The agile infrastructure needed to meet the speed of DevOps means that workloads are dynamic and often application components aren't even running inside of a classic data center. Enterprises are steadily moving to host-based segmentation to address migration to the cloud and the issue of ever-changing workloads.
Segmentation that is decoupled from the network enables organizations to take advantage of the speed brought about by cloud and DevSecOps, but without sacrificing security. Instead segmentation is a first principle protection that can work in legacy and in the cloud. It isn't yesterday's technology tomorrow -- it is tomorrow's technology today.