How To Avoid a Security Potluck With Good Governance from Code to Cloud

Originally published by Tenable.

Written by Upkar Lidder.

Organizations are pushing their application development teams to integrate security into their daily operations and throughout the development process. However, without an overlying strategy or security governance, you can end up with a messy “cybersecurity potluck”: too many tools, too many alerts and too many siloed teams.

What is a cybersecurity potluck?

Organizations often approach security as a potluck dinner to which everyone brings their own dish: Various teams use siloed security tools for security tasks such as infrastructure-as-code scanning, cloud security management and web application scanning, leading to a mishmash of disparate products.

More than two thirds of organizations have used 10 or more preventive cybersecurity tools in the past 12-24 months, according to a commissioned study conducted by Forrester Consulting on behalf of Tenable¹. And it takes a lot of resources to manage all these siloed tools. Nine in 10 (93%) have 10 or more employees devoted to deployment, support, maintenance and/or vendor relationships for the preventive cybersecurity tools in use.

While each tool has strengths, the lack of integration reduces visibility and context, which are key for proactive cybersecurity. This disjointed approach creates alert overload, data inconsistencies and overlooked vulnerabilities, exposing the organization to cyber threats. Plus, it becomes challenging to communicate risks to non-technical stakeholders.

To protect the organization’s attack surface, security teams must govern the entire application development lifecycle, offering expertise across teams and implementing a unified platform as a single source of truth for security.

Let’s dive into the details of this approach and dig into some best practices.

The main dish: A single policy framework governed by security teams

The first step to avoid a security potluck is to employ a single policy framework that everyone involved in the application development lifecycle can adhere to. The policies must be defined and enforced by the security team. A single policy framework ensures consistency in how cybersecurity is implemented throughout an organization. It establishes standardized compliance guidelines throughout the development lifecycle.

In practice, infrastructure is scanned against defined policies and then remediated in a scalable and repeatable way — regardless of where in the environment the security policy failed. Policies should not change from build to deployment in cloud environments. In addition, security teams must prescribe remediation actions when flaws or misconfigurations are discovered.

Chewing on the challenges

Implementing security governance across the application development lifecycle sounds easy in theory. In practice, there are challenges. For example, security teams might need to learn new domains and tooling, or they might feel like they don’t have the control or resources to effectively manage DevOps pipelines.

To govern development cycles without adding toil, security teams need tools that can be used by a variety of teams, such as DevOps and security teams, and that centralize information in a way everyone involved can understand. That way, existing workflows don’t have to be blown up in order to implement security.

No side dishes required

The Forrester study shows that 43% of the 825 IT and security leaders surveyed say the DevOps team does not prioritize security in its code development process. How can security pros get DevOps teams to buy into a single policy framework approach for security governance throughout the application development process?

The ideal scenario is having security tools that integrate with the tools that DevOps teams already use. That way, security teams can easily define security policies and enforce them, embedding security into the CI/CD pipelines. This allows security teams to stop risky deployments and ensure everything developers put into production has met the security team’s policy requirements.

Serving up visibility

Securing cloud infrastructure and build environments should be everyone’s responsibility. However, security teams should lead the way and gain visibility into the organization’s overall security posture so they can prioritize remediation in the application development lifecycle. Getting visibility that’s consolidated, customizable and clear saves time, boosts security and makes it easier to reconcile data that can be shared in boardroom presentations.

¹A commissioned study of 825 IT and security professionals conducted by Forrester Consulting on behalf of Tenable, May 2023.

About the Author

Upkar Lidder is a senior product manager at Tenable. He has more than 10 years of experience in IT development, including team management, functional leadership and technical leadership roles. He brings a deep experience in full-stack technology. Upkar is currently focused on security and DevSecOps in shift left, containers and cloud-native environments.