• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
    • Getting the Real Work Done in Cybersecurity
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
  • Hosts
  • Company
    • About
    • Careers
    • Contact

Articles/ DevOps

The Age of DevOps

Paul Asadoorian development, DevOps, operations, security, Signal Sciences October 3, 2018

The Most Valuable Resource of All: Time

This post was authored by Paul Asadoorian, CEO and founder of Security Weekly.

Over the last twenty years we have witnessed dramatic changes in the way companies write and ship code. First there was Waterfall, followed by the Agile movement in the early 2000’s, and now we find ourselves in the Age of DevOps. All of these changes have been made with one goal in mind: ship more code in less time. After all, time is the great equalizer for us all – and those that do more in less time will always find themselves in a favorable state.

As it relates to security, time is the hardest resource to come by. There is always more to do, never enough people to help, and hardly enough budget to purchase the tools necessary to buy more time. During those early days of security when Waterfall development reigned supreme, there always seemed to be enough time for security practitioners to stop that next push to production. The company waited 6 months (and sometimes up to a year) to deliver new features to customers – what’s another few weeks?


Credit: CommitStrip (https://www.commitstrip.com/en/2014/04/15/the-original-code/)

 

Moreover the Internet was just starting to pop-up in homes across the United States, and the input vectors for web applications were fairly simple. The first web application firewalls (WAF) built by Perfecto Technologies in 1999 could surely handle pre-determined sets of inputs as potentially malicious – all done through the use of rudimentary tools like regular expressions to determine when someone was breaking bad on the Internet.

Unfortunately for us security professionals trying to adapt and evolve the way we stay ahead of attackers, the underlying code that runs modern day WAFs continue to replicate the antiquated solutions that harken back to the turn of the Millennium; these newfangled “CDN-Based Web Application Firewalls” are really just regex-based technology with a new coat of paint. Moreover, when your vendor tells you “there is no need to update or patch, you’re secure!” when a new Remote Code Execution vulnerability is disclosed – be skeptical. Although their latest regex might protect you from that shiny-new Proof of Concept exploit, they certainly aren’t protecting you against the polyglot exploits that are cropping up all over the place. This gaping hole in edge-based Firewall tech does us all a disservice in trying to address our most sought after need – time.


Credit: XKCD (https://xkcd.com/1171/)

 

Shifting Security and Buying Time

When it comes to buying time for your DevOps teams to finish that new feature, the best thing you can do is put your security protections as close to the application as you can – and to ensure that the data and metrics you produce are readily useful to Development, Security, and Operations teams. What’s more, you need this protection to be fast, lightweight, and reliable – i.e. not regular expressions; and moreover, you need it to block a variety of attacks beyond the OWASP Top 10 – including account takeovers, bad bots, application denial of service, and more. The only player in the space today with experience producing security results that scale in a DevOps environment, while also providing fast response times with lightweight installation and deployment is Signal Sciences. If you don’t believe me, the proof is in their ability to deliver security at speeds unmatched by their competitors – allowing development teams to focus on delivering value to your customers, and security teams to prioritize remediations during the next sprint.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

uptrend line arrows with bar chart in stock market on blue color background

Articles /

Ransomware Damage Claims Driving Insurance Hikes

Picture1

DevOps /

The Unique Challenges of Companies Born in the Cloud

web-application-firewall-comparison-696x423

Articles /

Building a More Secure AppDev Process

‹ Three Key Areas in Active Directory Security › Who Thinks of HP for End Point Security?

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS feed RSS - Posts

Search

Latest Tweets

Tweets by @secweekly
© Security Weekly 2022
Powered by WordPress • Themify WordPress Themes