The Top Problems with Vulnerability Remediation Today

Originally published by Dazz.

Written by Julie O’Brien, CMO, Dazz.

As companies have transitioned development processes from building on-premises software to cloud applications, we’ve bled efficiencies—particularly at the intersection of development and security.

When we design our cloud security infrastructure, the first thing we think we need is detection visibility into security issues. But we fail to consider the consequences: more visibility means more alerts on everything from vulnerabilities to platform misconfigurations. The threat landscape is changing fast, and an unfiltered view of every emerging risk can lead to an overwhelming sense of not knowing what to fix first.

So says Steve Ward, a managing director with private equity and venture capital firm Insight Partners. Steve now manages the firm’s cybersecurity investments, but he worked in corporate cybersecurity for decades, starting in security operations and eventually serving as the CISO for several large companies, including The Home Depot.

Throughout his career, Steve has frequently seen organizational charts in which security and dev teams sit on opposite sides of a fence. “I always felt the pain as an operator of not being able to work well with my peers from a remediation standpoint,” he reports. “Security would be on one side of the fence saying, ‘These things are broken; go fix them.’ And their peers in dev would have to deal with remediation. Security might bring them a thousand issues to fix today, and another thousand tomorrow.”

As a result, he says, dev and security teams tend to have a strained relationship: “We’re talking about the humans that are on the other side of the fence, ops people who often have morale and retention problems.”

This situation leads to less-than-stellar vulnerability remediation, for three reasons:

1. Too much remediation after the fact.

Solutions developed in-house need to be clean before they are released. Otherwise, Steve says, the dev and security teams are “washing our faces with a dirty cloth.” Instead, we need to integrate security into the continuous integration and continuous delivery (CI/CD) pipeline, so that all the code coming out of the pipeline has been scrubbed and is ready for the cloud. Yet many security and dev teams remain reactive, putting out “dirty” code that creates unnecessary risk—and requires urgent, after-the-fact cleanup whenever alerts point out the problems.

2. Failure to consolidate and prioritize findings.

Most companies have an assortment of threat detection tools, and few security teams do a great job of consolidating and prioritizing findings from across all the tools. We may hand our peers in dev four or five different lists of needed fixes—say, infrastructure findings, app findings, regulatory findings, and audit findings. But if we don’t provide clarity and direction on remediating the problems, how are they supposed to know what to fix first? Failing to organize and prioritize the results of our detection tools can severely handicap remediation effectiveness.

3. Lack of empathy for DevOps colleagues.

The security team’s ability to drive fixes is limited when we don’t empathize with the people we rely on to instigate those fixes. Steve remembers peers in dev once telling him, “We’d love to go out and have a drink with you, but we don’t want you in the room when we’re solving a problem.” It’s human nature to gravitate toward positive people, and Steve says the security/DevOps dynamic is no different. “If I’m invited into the room where they’re solving a problem for the business and building something that generates revenue, they do not want me to be a barrier to progress. They want me to be part of the solution.”

Security teams that develop empathy toward their DevOps colleagues approach the role of security as an enabler to the business. Our opinions are considered more frequently, and we’re in the room as problems are solved. That means potential security issues are remediated earlier in the process, rather than after the fact, ensuring better protections throughout the entire security infrastructure.