The last day of the first AWS re:Inforce conference has wrapped up and it’s time to take the lessons we learned back to the office and put them into practice. In this post, we’ve compiled a few of the key takeaways from our team on the ground at re:Inforce broken into Day 1 and Day 2. We did a deep dive into Day 1 already, so check out the full post if you want to dig into the details.
Day 1 kicked off with a keynote from AWS VP and CISO Steve Schmidt, which set the tone for the entire show. From the start, re:Inforce was centered on the idea that security must become an integral part of each and every aspect of your company. Starting from the culture and working its way down, security needs to be baked into the entirety of your development and operations. This was music to the Threat Stack Team’s ears as we are big proponents of extending security throughout the full tech stack and across the entire software development lifecycle.
The Need for a Culture of Security
In plain terms, organizations need to embrace a realistic and holistic approach towards security responsibilities and coverage. Simply put, they need to:
- Become realistic and honest by removing FUD (Fear, Uncertainty, and Doubt) from their thinking and practices.
- Develop repeatable best practices for all factors — both human and technical — to leverage their resources proactively with optimal effectiveness.
- Apply security to all people and make it Job #1 in order to eliminate blind spots in security systems and processes.
The Need for Security Automation Across the SDLC
As Schmidt pointed out, “The goal is not to insert security into certain parts of the lifecycle.” Security needs to be embedded everywhere using a multi-layered approach throughout the tech stack and across workloads — and it must span the SDLC from end to end. In other words, it needs to be driven by a comprehensive approach that’s built on full stack security observability, encompassing both build-time and runtime environments. To quote Schmidt again: “DevSecOps just has to be the way Ops happens.”
Regardless of whether you’re a startup, an emerging company, or an enterprise, and regardless of the precise nature of your security and compliance requirements, all organizations seem to share a common underlying need for a cloud-native solution that’s built on a comprehensive, highly automated platform that has a well-developed customer- and partner-facing API strategy. Whatever the specific features of such a platform, it is likely to go a long way toward addressing everyone’s technical, operational, and business needs, and it’s also likely to go a long way toward helping them deal with the growing, global cybersecurity talent shortage.
Cutting Through the Hype
One thing we heard again and again on the show floor was that most cloud security vendors are sounding very similar, and it’s difficult for show attendees to cut through the marketing hype. One thing to keep in mind for next year’s re:Inforce (and all the shows in between), ask questions that are relevant not just to your role, but to other stakeholders in your organization both to the right and left. It’s important to remember that security needs to fit the entire business.
Ask the vendors about things like ChatOps integrations, support for improving your security posture over time, and the ability to support both runtime and build-time security. It’s easy for vendors to say they do cloud security — the key is to find the tools that fit your use case and help you avoid issues before they occur.
Talk About AWS Certifications
Walking around re:Inforce and in various social channels, we heard a lot of people talking about AWS certifications — in particular, the AWS Certified Security — Specialty. We’re firm believers in AWS certifications as a way for individuals to gain knowledge in a range of best practices for cloud technology while demonstrating that their skills have been validated by one of the best-known organizations in cloud computing. And collectively, certifications help demonstrate an organization’s knowledge, capabilities, and commitment to its prospects and customers. So the current display of interest is something we’re delighted about.
Standardized, referenceable accreditation points to the seriousness with which organizations are taking security and the support they’re giving their employees by encouraging this kind of rigorous professional development.
Attendance in the Developers’ Lounge
At Threat Stack we believe that strong security practices are a big part of best Dev practices. So it was very encouraging to see a hive of activity at the Developers’ Lounge — suggesting that there’s a real synergy taking place in the mindset shared by developers and security practitioners. It’s definitely a trend we encourage, knowing how critical it is to integrate security at every level and phase of Dev and Ops.
At Threat Stack, we believe that merging your development and operations team with your security team is the best way — the only way — to ensure that best practices are built into code before vulnerabilities become an issue. When security is seen as an enabler rather than a restriction, and when software engineers are encouraged to take ownership of the health and security of their code, it’s a lot easier to incorporate security throughout the entire SDLC.
The Event Itself
Finally, let’s talk about re:Inforce itself. By hosting the first AWS conference completely devoted to security, it’s clear that AWS made the right move at the right time. There is no way to overstate the importance of the cloud in every aspect of our personal, social, and business lives, and as such security is essential to our well being.
Updates From Threat Stack
The weeks leading up to AWS re:Inforce 2019 were busy here at Threat Stack with two major product announcements:
- First we launched Threat Stack Application Security Monitoring, expanding on our vision for full stack security observability. With Application Security Monitoring built into the Threat Stack Cloud Security Platform® (at no additional cost), our customers have built-in protection against runtime attacks on applications, proactive application risk reduction, and eLearning capabilities designed to help developers learn how to reduce security risks in their code.
- We also announced a new Threat Stack Agent for Windows Servers. It’s a completely new agent implementation that aggregates security signals from native Windows subsystems, and runs its own proprietary driver for file integrity monitoring.
So in closing, thanks for visiting Boston to participate in re:Inforce 2019 — and let’s get together again at re:Inforce 2020 in Huston, Texas. In the meantime, feel free to reach out if you would like to discuss your security and compliance requirements and to set up a demo of the Threat Stack Cloud Security Platform®.