Blog Categories Application Security Cloud Security Compliance Container Security & Orchestration DevSecOps General Professional Development SOC Threat Intel Threat Stack Uncategorized Subscribe Now x Subscribe to Our Blog! DevSecOps 4 Min Read What Happens When You Sacrifice Security for Speed (And Common Ways Security Gets Sacrificed) Pat Cable May 3, 2018 No matter where you sit in your organization, you should know what happens when you sacrifice security for speed. Threat Stack recently surveyed DevOps and security pros and found that more than half (52%) of companies make this very sacrifice, cutting back on security measures to meet a business deadline or objective. Additionally, 62% of security professionals surveyed stated that their Operations teams push back when asked to deploy secure technology — often because Ops fears it will slow things down. This might not seem like a large problem until you consider what actually happens when you sacrifice security for speed. By putting speed above security best practices, you open your organization up to breaches and attacks. But ironically, contrary to the belief of some operations professionals, applying security best practices doesn’t necessarily require you to slow down forever. In this post, the fourth in our SecOps survey series, we’re sharing what happens when you sacrifice security for speed, as well as some best practices your organization should apply in all circumstances. Note: The other posts in our SecOps survey series are: How CEOs Can Be a Cybersecurity Liability (And What to Do About It) How to Make SecOps Work in the Real World The 5 Biggest Obstacles to SecOps Success Common Ways Security Gets Sacrificed Many organizations sacrifice security because they believe that making it a primary focus will take away from the daily work of delivering the product. But what does sacrifice look like in reality? Here are some common ways that security is sacrificed. Skipping Security Best Practices One of the most common issues comes up when organizations don’t make time for security best practices. Perhaps they consider these best practices to be too cumbersome or difficult (or don’t have the expertise), but they are essential in running a secure organization. Here are some that all companies should implement within their infrastructure: Two-factor authentication (2FA) for gateways and important hosts TLS (SSL) certificates on front-facing websites File Integrity Monitoring for important files (like those TLS certificates) Security Awareness Training Secure Code Training Centralized Authentication Stricter access controls in production environments Security Monitoring and Alerting For more on these practices, take a look at these two blog posts: Cloud Security: Where to Get Started, Part 1 Cloud Security: Where to Get Started, Part 2 Failing to Configure Your Infrastructure Properly In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as leaving remote SSH or other services open to the entire internet. By “critical,” we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies. A misconfiguration is considered critical if it: Can be leveraged in a direct data breach Can be leveraged in a more complex attack Enables trivial attacks on an AWS console Reduces or eliminates critical visibility (security or compliance) Basic security hygiene gives you an advantage — it makes it more difficult to attack you, and an unmotivated adversary will move on and try to attack someone else. If you fail to configure your infrastructure properly, you are left open to attacks that are trivial for the bad guys to execute. Letting Code Go to Production Without Review According to our SecOps survey, 44% of developers are not trained in secure coding, and 42% of operations staff are not trained in basic security practices. Therefore, code often goes into production without proper security reviews. According to Tech Target, app delivery collaboration under DevOps gets a lot of lip service, but IT teams truly mature only when developers take responsibility for their code in production. Want to make sure your organization is secure? Teach your developers to review their code for security flaws, and incentivize them to do so every time. Many organizations offer secure coding training, and it’d be worthwhile to look around for in-person training. One remote training option is Secure Code Warrior. This is an example of a company that has the knowledge and resources to provide highly professional training. Of course, as a potential consumer of training services, you’ll need to research the market to find an organization that not only has the expertise you need but is also located in your region. What Happens When You Sacrifice Security for Speed The consequences of sacrificing security for speed can be dire. If your organization leaves security behind, you open yourself up to customer data leaks, attacks, breaches, and other nightmares — along with the resulting customer churn, reputational damage, and financial loss. How to Do It Better If your organization focuses on speed alone, without considering security, then you’re not focusing on building a long-term sustainable infrastructure that will support your products and team as they move into the future. But it’s not one or the other. There’s really no need to sacrifice speed in the interest of being more secure. In fact, by incorporating SecOps best practices into your organization’s processes, you can speed up your security processes and still meet best practices and benchmarks. Security has now become a sales driver and a board-level conversation, which means that it should be integrated into business processes from day one. To ensure that you prioritize security alongside speed, you can take a number of steps such as leveraging automation, increasing security response velocity, and implementing a modern intrusion detection platform. Prioritizing Security and Speed Businesses need to deploy code as quickly as possible. Unfortunately, some believe that using security best practices will get in the way of high velocity. However, if you’re not considering security from day one, you’ll open your organization to preventable attacks and breaches and all the downstream damage this causes. Thankfully, you don’t have to sacrifice security for speed. Instead, you can prioritize both, ensuring that they’re working together to support your technical, operational, and business goals. To learn more about what our SecOps survey uncovered and how it can be applied to your organization, download your copy of Bridging the Gap Between SecOps Intent and Reality. Tags:DevSecOpsSecOpsSecOps Efficiency in the Cloud You Might Also Like... How to Implement a Security Awareness Program at Your Organization 7 Factors to Help You Choose the Right Cloud Service Provider How to Align Security With Your Business Objectives Whitelisting is Dead, Long Live Whitelisting! About Pat Cable Patrick Cable is Director of Platform Security at Threat Stack. As an infrastructure security engineer, Patrick focuses on ensuring the security of the Threat Stack Platform by collaborating with other departments, implementing security tools, and building new technology to make security easier for everyone in the organization. Prior to working at Threat Stack he was Associate Staff in the Secure and Resilient Systems Group at MIT Lincoln Laboratory where he worked on improving cloud security in research environments. View more posts by Pat Cable Request a Demo Share this Blog