We asked our Xebia Security experts Carlo Klerk, and Edzo Botjes, what stands out to them in the security landscape. How has security gone from a minor concern to a major priority for companies worldwide? And what does this shift mean for IT professionals in general? What skills do companies need, and how can we help secure their future?
"Companies primarily ask us to assess their cloud security, improve it, or make sure security is an integral part of the application they're (re)building or migrating."
What's happening in the security space
Security is evolving from a nice-to-have to a must-have. Today, cyberattacks are more visible and more impactful than ever before. The National Vulnerability Database even reveals that the number of attacks has almost tripled in the past five years.* So, it's not surprising that leaders are concerned about security. Companies have long struggled to safeguard their business and create secure products and services. Of course, they cared. They just missed the knowledge, skills, or time to invest in security. That is why many companies ask for our help.
Security is making its way to production environments. It's more than a strategical topic; it's about securing every step in the product development process. In recent years, companies saw security as something best left to specialists in an ivory tower. However, ensuring a process is safe from start to finish requires the commitment of an entire team. To get everyone on board, we now spend a lot of time creating the right culture, sharing our know-how, and getting our hands dirty!
Do we all need to become security savvy?
Yes, companies cannot create security through meetings alone. For the situation to be sustainable, security needs to move out of its silo and become a shared responsibility. Security is responsibility shared inside the DevOps teams and shared with the business. You need to understand security in your context if you're a developer, and if you're a cloud architect, you need to know how to keep that environment safe. And you need to be able to allign with your business stakeholders to together determine the most valuable security improvements. Jobs are definitely about to change!
"Today, your market value as a software developer is high if you also know security. But in five years, security know-how will be the norm for every job."
What are the most common types of cyberattacks these days?
To say that certain kinds of attacks stand out today, or will do so soon, would be foolish because every threat is different for every business. What is much more interesting is whether you know the three most significant dangers to your company and whether you've adequately protected yourself against them. If you're not 100% sure of that, Risk Management is a great place to start!
Do you know what you could have to deal with, but are you unsure if your measures are sufficient? Threat Modeling helps you answer questions such as: What's my attacker's goal? How will the attacker try to achieve it? How can I protect my business?
"Attacks that use infrastructures (like ransomware or malware) will continue to take place. The good news is that we're getting better at dealing with and recovering from them. For instance, creating products that are secure by design means we are aware of the risks, and we're eliminating them as we build."
Is digital innovation making us increasingly vulnerable?
If the environment you use to build software is not secure and malicious code gets into your product, you'll end up attacking your users. We want to avoid that situation, and luckily we can! We encourage companies to adopt DevOps, migrate as much as possible to the cloud, and use Infrastructure as Code for more secure software development, scalability, and automation. Our consultants can also perform security assessments, test the security of your platform or application, and take all measures needed to improve the safety of digital environments.
Many enterprises, especially regulated ones, have strict compliance regulations. Isn't that enough?
Compliance is essential. However, it also paralyzes companies, creates a tunnel vision, and provides a false sense of security. Many compliance frameworks address security-related issues, like access to specific data. However, the solutions offered are often only audited once a year. Who guarantees a good execution on the other 364 days of the year?
Emphasize what matters by shifting towards a continuous compliance model and focusing on secure by default development. By focusing on security, compliance often follows. Start with threat models, write secure code, run scans in every pipeline stage, and perform vulnerability and static security scans. Monitor behavior and traffic, and keep investing!
A company that utilizes the cloud for their business should aim to have continuous deployment to production automated including the security and compliance checks. This way your business and IT can deploy and roll back small features as soon as possible in response to the dynamic and interesting times we live in. We believe that security is improved when you as business and IT can observe and respond quickly.
"Compliance is overrated, and security is understated."
What's next? What can we expect in the (near) future, and how can we best prepare?
- MORE THAN A PENTEST: some companies offer quick and straightforward pen-testing. We want to provide more than that. A pen test as a starting point? Fine. A pen test to tick off a box? We don't believe in that. Security is something you have to work on every day.
- SECURITY SELLS: legislation and authorities are placing more pressure on organizations. Having your ducks in a row regarding security is definitely a competitive advantage.
- AUTOMATE EVERYTHING: automate as much as possible, and only do manually what you really can't do otherwise. This will help secure each and every process, from start to finish.
- OUTSOURCE & UPSKILL: reducing the spillage of unexpected events is becoming mandatory to stay in business. And one way to do so is by outsourcing services into SaaS, which decouples your systems and business processes and leaves that specific part up to the experts! Another way to do so is by re-skilling and/or upskilling your workforce. Now that security is moving from policy to process, and everyone is expected to take ownership, companies are missing vast knowledge. Be prepared!
- STATE-OF-THE-ART TECHNOLOGY: cybercrime happens in the blink of an eye because it doesn't wait forever for organizational approval - and it uses state-of-the-art technology, for instance, hyper-automation. When will businesses start organizing themselves to respond to this increasing threat at the same pace?
- SECURE SOFTWARE DEVELOPMENT LIFE CYCLE: isolate building blocks and apply Secure Software development Life Cycle (SSDLC) principles to create and integrate the building blocks. Finally, use the cloud to your advantage. For example, secure software development is much easier if you use Infrastructure As Code!
"Security is protecting what is valuable on the one hand and dealing with the unexpected on the other (responding and assessing)."