Guy March of Tenable lays out the channel angle on Security.
Development has Evolved and Security Must Too.
If we go back to the turn of the century, IT would have needed to provision physical machines, loaded with a host of applications that were physically connected to the internet, to enable a remote employee. To introduce a new service would have taken, on average, between six and eight months in production. The next ‘phase’ saw us move to the age of Virtual Machines and, while this simplified the deployment, the architecture remained the same. This was still seen as a ‘win’ in terms of agility and speed of deployment. Today, and by harnessing the power of the Cloud, enabling a remote workforce is very different and can be done in a matter of days, if not hours.
Guy March, Channel Director – EMEA, Tenable
What do resellers need to understand about the infrastructure evolution organisations are going through?
Today, most functionality is delivered through applications, or APIs, that require resources such as servers, networking, and storage, upon which they can run - an infrastructure. IT has invested a lot over the past 10 years improving the management of infrastructure - making it easier to configure, scalable and resilient in the face of dynamic demand, and cost efficient. That often requires an operator to manually configure physical, virtual, or cloud resources according to needs. Especially in the cloud, systems are complex and operating conditions change constantly, making manual configuration a bottleneck.
What impact has this evolution had on business risk?
Development lifecycles have been reduced from months, to mere days and sometimes just hours. In some cases, new features are released in real time. While this speed and efficiency has immense benefits to the organisation, it also carries large risks. The window to identify a security weakness before implementation is also reduced. The result is that, if a vulnerability is detected while infrastructure is running, that organisation is already exposed – even if a patch is applied right away.
Security tools have traditionally been very limited in their view and context, and they typically lack the understanding of the controls available in an environment to remediate issues. For example, if a vulnerability is discovered in code, but the tool doesn’t know if there is a web application firewall (WAF) that can block a payload trying to exploit the vulnerability, then the tool cannot know whether the vulnerability is exploitable. This lack of context makes it impossible to determine if other tools and controls in the environment are able to handle the issue thereby making it impossible to determine the true risk of the environment.
As cloud adoption continues to increase, and organisations embrace the flexibility that cloud-native provides, it is vital to find and fix as many security bugs as possible before deployment. If we leave a misconfiguration in code, there is the risk it could be copied across all infrastructure making everything vulnerable. We’ve seen the real world implication of this with the recent Apache Log4Shell vulnerability. Instead, fixing code before it can be put into production helps prevent the replication of insecurities. We are here because of this infrastructure evolution - we have to focus first on the code that underpins it.
How do we move security earlier in the development lifecycle?
Viewing the app lifecycle as a timeline, development happens earlier and production usage later. By finding flaws during the development cycle, security practitioners won’t have to ask developers to fix their code for “security reasons” later during the production or even usage stages, which in turn reduces “Patch” development. This allows developers to deliver applications quicker serving the business requirements.
Infrastructure as Code (IaC) fits into a class of technologies that enable ‘shifting left’*, or moving traditionally late processes earlier. This ‘shift left’ movement promises to improve velocity, resiliency, and security even as systems become more complex. With IaC all the resources and connections between resources are defined in code. This means scanning can easily determine what controls are available and what they will be able to address. It also means that if a vulnerability is found, the impact on the broader environment can be quantified. If a Static Application Security Testing (SAST) or Software Composition Analysis (SCA) scanner finds a vulnerability in the application code, and a WAF sees a malicious inbound payload, the IaC can determine if a path to the vulnerability exists from the internet. The holistic view of the entire infrastructure provided by IaC enables a new generation of tools to accurately assess risk and prioritise remediation. It also allows security teams to determine where a remediation action is best taken. Some SQL injections are very complicated to fix in code because they have a large impact on other parts of the application.
IaC provides the information required to visualise the attack path and then analyse it to know where the optimal place to break the path is located. This provides teams better visibility into risk when deciding whether specific issues need to be fixed immediately or can be fixed in the future. A team can choose to fix the issue where it requires the least effort, thus breaking the breach path and eliminating the risk with the least disruption. This provides teams with more time to decide how to address the more complicated underlying issues.
What is Tenable doing in this area?
Designed for DevOps and DevSecOps, the Tenable.cs platform can programmatically detect and remediate security risks before public cloud infrastructure is provisioned to support cloud-native applications. By continuously monitoring code throughout the development lifecycle, the platform can help developers to prevent vulnerabilities or security gaps from being embedded in IaC. After deploying the application, developers can use the Tenable.cs platform to detect any public cloud infrastructure changes (e.g., adding storage, changing virtual instance configuration)or policy violations, then update the source code so that application updates do not inadvertently introduce new security vulnerabilities. Vulnerabilities can be detected at the cloud infrastructure, Kubernetes cluster, and pipeline levels.
Why is software as a service an advantage to the reseller? (Software Development Lifecycle’s) What are the main selling points as a reseller?
Customers are increasingly looking for resellers to offer strong counsel and provide support on their journey to the cloud. SAAS solutions can be quickly adopted by resellers and integrated in a holistic solution across multiple vendors to provide high-value customised services that build, secure, and maintain a customer's technology ecosystem. This is a significant opportunity for resellers, both from a technology standpoint and in terms of building bespoke services, that add significant value for the customer who might not have the required expertise or resource inhouse.
What are the main selling points to be mentioned to prospective clients as a reseller.
Infrastructure-related vulnerabilities, specifically policy violations and cloud resource misconfigurations, are typically detected after cloud-native applications are deployed. However, the risk of bad actors exploiting these vulnerabilities is high.
Discovering and prioritising vulnerabilities in a cloud environment is only half the battle. Organisations need to ‘shift left’ and be preemptive with cloud security to find and remediate vulnerabilities before they reach production. By identifying and addressing these gaps early in the development lifecycle for cloud-native applications not only is the risk greatly reduced, but organisations will also see greater economic efficiency from reduced software lifecycles.
What support is offered and given by Tenable to its partners?
At Tenable, we recognise that aligning ourselves with the right partners is critical to our mission of empowering organisations to manage and measure their modern attack surface. As a vendor, we look for and actively nurture relationships with partners that want to do more than just sell our products but live by the same values Tenable holds. We want to see commitment that we know our customers demand.
Our Tenable certification program offers tailored training, based on the partner’s role and core expertise. Our curriculum targets sales and technical staff with the training required for success in every step of the customer lifecycle to establish a new standard for expertise in helping organisations address the challenges they face.
Our partners need to be as invested in the technology as we are, and from this basis we will actively work to help and support them build services and value around our solutions. This could include complementary technologies that ultimately address the challenge the customer is facing.
* Shift Left: an approach used to speed software testing and facilitate development by moving the testing process to an earlier point in the development lifecycle. Shifting left is a reference to moving testing to the left on a timeline