[cs615asa] Notes from the 2021 ISMG Cybersecurity Summit

Wed May 5 13:39:49 EDT 2021

Hi all,

Yesterday, I attended a talk at the ISMG Cybersecurity Summit, which is eponymously focused on improving and advancing the global cybersecurity infrastructure across various industries and fields, from finance to government to energy to healthcare. The event itself featured a number of speakers talking about various rising technologies and processes within the cybersecurity realm as well as the cultural shifts in the cybersecurity realm that came about as a result of the need to adapt to the COVID pandemic, from the use in micro-segmentation technologies to secure multi-cloud architectures to how to think like a cybercriminal to thwart potential attacks to completely re-evaluating the impact of insider risk amid the pandemic to the use. These talks served to illuminate the many security concerns that system administrators come to face in building and maintaining their systems, with special focus on the unique intersection of technical and sociopolitical considerations that is inherent to system administration.

To that end, I chose to attend a talk on a novel approach to integrating and embedding security into the DevOps development cycle, given by Stephen Gates, a security SME at Checkmarx, a firm specializing in AppSec testing. With the modern paradigm shift from more "traditional" development cycles, like Waterfall and Agile, to the more social and integrated DevOps cycle, the integration of security into this cycle comes as a necessity - and despite this necessity, it is often the case that security considerations are often an afterthought to be implemented late into development, causing delays to deployment. What Gates speaks about is his company's approach to integrating security considerations into the majority of the DevOps cycle, thereby increasing the mindfulness of security in the development workflow and subsequently improving development times, which are significant workflow factors for system administrators to consider when setting up organizational development infrastructure and suites.

In his talk, Gates spoke about a continuous six-step approach, centered primarily around AppSec policies:

  1.  Define AppSec policies: define the threat model and define which risks are acceptable and which are not.
  2.  Automate and integrate AppSec testing: automate and integrate security testing into the various development platforms, like into IDEs and code collaboration platforms like Git for source code-level testing, into the running application itself for run-time vulnerability catching, or even into the open source libraries used in the application to catch vulnerabilities there.
  3.  Identify vulnerabilities: once the AppSec testing integration is done, the tests can then run and detect coding errors within the application that give rise to vulnerabilities.
  4.  Correlate results: if various tests agree that there is a particular vulnerability in the application, correlating these results increases the confidence level that that vulnerability is a true positive, reproducible, and should probably be fixed.
  5.  Remediate vulnerabilities: choose which vulnerabilities to be fixed, according to the previously defined AppSec policies, and decide what is the best place to fix the vulnerability to minimize risk, which can be enhanced with Secure Code Education (SCE), teaching developers how to fix certain vulnerabilities, which can even be integrated directly into developers' IDEs.
  6.  Manage and monitor key performance indicators: observe over time how the previous five steps affects the amount of vulnerabilities in the application, the rate of introducing new vulnerabilities, and the rate of finding severe vulnerabilities.

The key point in Gates' talk is the importance of automation in the security considerations surrounding the different aspects of DevOps: without an automated security infrastructure in place to both catch and subsequently analyze key vulnerabilities in development, precious time can be wasted on otherwise foreseeable delays in trying to identify and fix said vulnerabilities. Just as much as organizations have shifted away from prior development cycles to DevOps in the interest of optimizing workflow, Gates recognizes the need for a similar paradigm shift from DevOps to DevSecOps, embedding security right into the heart of the development cycle to maximize efficiency. The management of these new DevSecOps technologies will come to be an important upcoming skillset for systems administrators, as this approach places security right between the development and production cycles, creating a new "orchestration" layer not uncommon to see in the realm of systems administration.

If you are at all interested in reading more into detail about the DevSecOps approach, you can read Checkmarx' (free!) best practices ebook guide here: https://info.checkmarx.com/wp-devops-a-best-practices-guide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20210505/c16deb2a/attachment.html>