“There’s less and less separation between building out the application and building out the infrastructure. Security has to be built in. It has to be automated. It’s no longer something we deploy manually,” said Adrian Sanabria (@sawaba), senior security analyst, 451 Research in our conversation at the Black Hat USA 2016 conference in Las Vegas. “We deploy [security] with APIs just like we deploy our infrastructure with APIs.”
The buyer of security products is changing as well. For example, an automation engineer could be responsible for purchasing a security product, said Sanabria. As IT changes so does security. It’s now everybody’s problem and job function.
How do you manage security where the old way of thinking doesn’t apply anymore?
Infrastructure is now code in the cloud. There are different roles deploying infrastructure. Because of that, we need those roles involved in security, said Sanabria.
There’s no opportunity to wait for security, hand it off to someone and wait for them to respond, he added. Security has zero time. It has to be done as the project progresses.
To combat this “we’re seeing more tools where security checks are automatically done as developers write code and as they deploy code,” said Sanabria.
“In the past security was more of a ‘what product do you buy to solve this problem.’ Now it’s do we build a solution or do we buy? And if we buy how do we integrate that into the workflows and the processes we already set up?” asked Sanabria.