Off. On. Hacked. Not hacked. Safe. Vulnerable. It is easy to think in these terms because it allows us to rationalize a complex system by reductionism to a single state: on or off. This has been the approach of the security industry for ages, breached or un-breached. Two options, completely binary.
Security Is Not a Binary Event, Embrace Continuous Feedback Loops
This is flawed thinking in the modern approach to applications as it ignores the attack chain — the path taken to get a functional exploit. These chains are often composed of thousands of requests yet often go unnoticed because many of the requests can appear innocuous when taken piecemeal, but when evaluated in context they tell a different story.
Most forward-thinking organizations are constantly refining their process of detecting and disrupting attacks earlier and earlier in the attack chain. This means moving away from binary thinking and instrumenting across the stack and amplifying feedback loops.
Attack Driven Defense Outshines Compliance Driven Defense
Progressive teams approach security less from a compliance or checklist mentality, but instead ask, “How do attackers actually target my business?” Defensive actions that made a lot of sense 15 years ago and still exist in compliance checklists today may not make sense for a business operating in a modern environment.
For example, while the OWASP Top 10 provides a useful starting point, oftentimes the biggest areas of risk for a modern application will be in other types of attacks, such as application layer denial of service attacks, or attacks on sensitive business logic.
The best security teams can measure how their applications are actually attacked, which allows them to give more accurate guidance on risk and to make more effective and efficient defensive decisions.
Don't Block Your Business, Enable Your Teams
The most successful security teams have made a profound shift moving security from an organizational blocker to an organizational enabler. Historically, security has focused on delaying any change until it could be reviewed. This created a bottleneck.
In today’s environment of DevOps, changes are happening at a faster pace than ever before. In this sort of new environment, if security tries to remain a blocker to the business it will simply be bypassed.
Security has to focus on how it can enable the business to move quickly and securely, in some sense moving from a culture of “no” to a team of “yes.” The most effective way to approach this shift is to decentralize and provide methods for teams to do their jobs in a secure-by-default state, rather than security acting as a centralized gatekeeper.
DevOps pioneer and author Gene Kim put it like this:
Internal security controls are often ineffective in quickly detecting breaches because of blind spots in monitoring or because no one is examining the relevant telemetry every day. To adapt, integrate security telemetry into the same tools that Development, QA, and Operations use. This gives everyone in the pipeline visibility into how applications and environments are performing in a hostile threat environment where attackers are constantly attempting to exploit vulnerabilities, gain unauthorized access, plant backdoors, and commit fraud (among other insidious things!).