As organizations continue to adopt open source software and cloud technologies, maintaining a secure and compliant environment is getting more challenging. As noted in the WSJ post Out-of-Date Software Creates Incalculable Cyber Risk, even though Equifax was aware of the Apache Struts vulnerability (CVE 2017-5638) and attempted to fix it, there were still critical systems on the network that contained the flaw months later. By then it was too late.
The security challenge for most organizations is multifaceted and getting bigger. First, most organizations lack the visibility across their network and multi-cloud applications to know where their systems are located, how they interact with each other, what software is running on them, how they are configured, or how these systems are using critical business data. Second, new cloud technologies such as public cloud services, containers and virtual networks depend heavily on proper configurations to be secure. Third, development by assembly is causing more third-party (and open source) components to become embedded into enterprise applications, increasing the potential for vulnerabilities to be exploited.
Let’s focus on three areas that can greatly reduce the attack surface and improve your security posture:
Patching vulnerabilities that can be patched
Despite the media attention, the truth is that very few (less than 1% according to analyst firm Gartner1) of exploits are zero-day attacks. Most have been around for months if not years and have available software patches that close the vulnerability. As an example, in another high visibility attack, the ransomware WannaCry exploit was first discovered on May 12, 2017 – a full 59 days after the patch was made available.
So why don’t these systems get patched faster? There are a number of reasons that could be at fault. Organizations often have a process for patching that involves some form of assessment, testing, change approval, planning and execution. Errors can occur at each stage. In addition, organizational structure might put scanning for vulnerabilities with the Security team and planning and execution of patches with the IT Operations team, leading to potential communication breakdowns. Change approval might also run into roadblocks as application teams stop critical updates that take their revenue generating services offline.
Patching processes need to evolve to match the new challenges of rapidly changing digital applications. Start with tools that give better visibility into vulnerabilities across the attack surface. This includes understanding where the vulnerabilities exist, their severity, and how those systems relate to business applications and services. You also need to discover blind spots – those systems that might not be covered by vulnerability scanners or patch management systems – and get them under management. Next, help the operations and security teams to address the most critical vulnerabilities first, in a manner that works within operational constraints such as testing procedures or defined maintenance windows. Integrate your patching process with your ITSM change management process to ensure that change approvals are streamlined and documented. Finally, integrate with your patch management tool to ensure that changes are executed across multiple systems and platforms quickly and effectively.
Cloud applications and configurations
While patching will continue to be a critical line of defense against threats, an emerging challenge is ensuring that cloud configurations are secure. Amazon Web Services has over 100 services and Microsoft Azure has over 120 offerings and services which need to be configured properly to secure cloud applications. The Center for Internet Security has issued over 300 best practice guidelines for configuring AWS and are working to do the same for MS Azure.
As developers build and test cloud services at an accelerated rate, they quickly assemble and configure public cloud services such as: serverless compute functions, search services, relational DBaaS, storage services and identity and access management functions. Often, they don’t have the security training or background to configure these services securely, yet they are acting as defacto security architects.
Leading organizations are starting to realize that in order to effectively scale security of their public cloud services, they need tools that utilize security best practices to help them test and verify secure configurations. This includes scanning applications and configurations in pre-production stages as well as continuously monitoring cloud security settings to ensure that changes aren’t making these services insecure or noncompliant.
Scanning for vulnerabilities before they reach production
With the trend to push releases out to production more frequently, security testing in DevOps pipelines becomes another important risk prevention procedure. This is especially true as the use of open source libraries, application servers, databases and other components become more prevalent. Application vulnerability scanning tools have been around for years, but unfortunately, for many organizations they impose significant process overhead that can bring innovation to a screeching halt.
Organizations need scanning tools that seamlessly integrate within their DevOps processes, allowing developers to programmatically trigger an application library or web application scan for vulnerabilities. If critical vulnerabilities are discovered, the process should be halted, requiring developers to fix and retest before production releases are approved. Once in production, these tests should continue at regular intervals to identify new vulnerabilities against deployed middleware or applications.
Security needs to be managed, just like every other business risk. It is unlikely that you will be able to fix every vulnerability as new ones are identified on a daily basis. However, you can take steps to improve the visualization, prioritization and remediation of known security risks. First, patching needs to be thought of as a critical business process that evolves to meet the challenges of today’s digital business applications. Second, as organizations shift more of their business services to leverage serverless cloud functions, security will depend on proper configuration. You will need to scale your IT and Security teams to automate security and compliance configuration testing, reporting of violations and remediation. And finally, you will need to move security testing earlier in the development process to detect and prevent vulnerabilities and misconfigurations from delivery into production.
1 “It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats”, Gartner, 09 September 2016, Craig Lawson↩
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.