No matter where you sit in your organization, you should know what happens when you sacrifice security for speed. Threat Stack recently surveyed DevOps and security pros and found that more than half (52%) of companies make this very sacrifice, cutting back on security measures to meet a business deadline or objective. Additionally, 62% of security professionals surveyed stated that their Operations teams push back when asked to deploy secure technology — often because Ops fears it will slow things down.
This might not seem like a large problem until you consider what actually happens when you sacrifice security for speed. By putting speed above security best practices, you open your organization up to breaches and attacks. But ironically, contrary to the belief of some operations professionals, applying security best practices doesn’t necessarily require you to slow down forever.
In this post, the fourth in our SecOps survey series, we’re sharing what happens when you sacrifice security for speed, as well as some best practices your organization should apply in all circumstances.
Note: The other posts in our SecOps survey series are:
Common Ways Security Gets Sacrificed
Many organizations sacrifice security because they believe that making it a primary focus will take away from the daily work of delivering the product. But what does sacrifice look like in reality? Here are some common ways that security is sacrificed.
Skipping Security Best Practices
One of the most common issues comes up when organizations don’t make time for security best practices. Perhaps they consider these best practices to be too cumbersome or difficult (or don’t have the expertise), but they are essential in running a secure organization.
Here are some that all companies should implement within their infrastructure:
- Two-factor authentication (2FA) for gateways and important hosts
- TLS (SSL) certificates on front-facing websites
- File Integrity Monitoring for important files (like those TLS certificates)
- Security Awareness Training
- Secure Code Training
- Centralized Authentication
- Stricter access controls in production environments
- Security Monitoring and Alerting
For more on these practices, take a look at these two blog posts:
Failing to Configure Your Infrastructure Properly
In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as leaving remote SSH or other services open to the entire internet. By “critical,” we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies. A misconfiguration is considered critical if it:
- Can be leveraged in a direct data breach
- Can be leveraged in a more complex attack
- Enables trivial attacks on an AWS console
- Reduces or eliminates critical visibility (security or compliance)
Basic security hygiene gives you an advantage — it makes it more difficult to attack you, and an unmotivated adversary will move on and try to attack someone else. If you fail to configure your infrastructure properly, you are left open to attacks that are trivial for the bad guys to execute.
Letting Code Go to Production Without Review
According to our SecOps survey, 44% of developers are not trained in secure coding, and 42% of operations staff are not trained in basic security practices. Therefore, code often goes into production without proper security reviews.
According to Tech Target, app delivery collaboration under DevOps gets a lot of lip service, but IT teams truly mature only when developers take responsibility for their code in production. Want to make sure your organization is secure? Teach your developers to review their code for security flaws, and incentivize them to do so every time. Many organizations offer secure coding training, and it’d be worthwhile to look around for in-person training.
One remote training option is Secure Code Warrior. This is an example of a company that has the knowledge and resources to provide highly professional training. Of course, as a potential consumer of training services, you’ll need to research the market to find an organization that not only has the expertise you need but is also located in your region.
What Happens When You Sacrifice Security for Speed
The consequences of sacrificing security for speed can be dire. If your organization leaves security behind, you open yourself up to customer data leaks, attacks, breaches, and other nightmares — along with the resulting customer churn, reputational damage, and financial loss.
How to Do It Better
If your organization focuses on speed alone, without considering security, then you’re not focusing on building a long-term sustainable infrastructure that will support your products and team as they move into the future.
But it’s not one or the other. There’s really no need to sacrifice speed in the interest of being more secure. In fact, by incorporating SecOps best practices into your organization’s processes, you can speed up your security processes and still meet best practices and benchmarks.
Security has now become a sales driver and a board-level conversation, which means that it should be integrated into business processes from day one. To ensure that you prioritize security alongside speed, you can take a number of steps such as leveraging automation, increasing security response velocity, and implementing a modern intrusion detection platform.
Prioritizing Security and Speed
Businesses need to deploy code as quickly as possible. Unfortunately, some believe that using security best practices will get in the way of high velocity. However, if you’re not considering security from day one, you’ll open your organization to preventable attacks and breaches and all the downstream damage this causes. Thankfully, you don’t have to sacrifice security for speed. Instead, you can prioritize both, ensuring that they’re working together to support your technical, operational, and business goals.
To learn more about what our SecOps survey uncovered and how it can be applied to your organization, download your copy of Bridging the Gap Between SecOps Intent and Reality.
Bridging the Gap Between SecOps Intent and Reality
This report examines why the vision for SecOps hasn’t become a reality at most organizations.