The importance of security automation
2022年5月16日
0 分で読めますSecurity is a critical, if somewhat overwhelming, task for any organization. As products grow and teams expand, the challenge of maintaining a security posture at scale increases as well. This is where automation comes in. The ability to automate security tasks offers obvious benefits such as increased speed, while also driving deeper shifts in a company’s culture and processes.
Our very own GuyPo (Snyk Founder and CTO) discussed the importance of security automation with several industry-leading technologists on The Secure Developer podcast. We’ll learn more about these guests and their insights as we examine automation’s vital role in DevOps, scaling, and risk management.
Lightening the load with DevOps
Adapting security processes to the way developers work is vital to any successful security approach. Shaun Gordon (Chief Security Officer, New Relic) appeared on episode 13 of the podcast to share his insights on the evolving role of security in the industry and at New Relic. Gordon said that and he and his team, “try [to] be as lightweight as possible with developers,” and minimize the workload security adds to their day to day. “And so that means [that while] a lot of what we do is as transparent as possible — we're trying to do it in the background.”
Duncan Godfrey (VP of Engineering, Auth0) shared a similar approach in episode 32. He aims to stay ahead of the SecOps state of mind by “automat[ing] a response to anything that can be automated. We're automating that way so that the team can stay focused on the next level up, which is doing the detection work.”
Automating security tasks allows developers, security experts, and operations teams to focus on the critical items without worrying about mundane tasks falling through the cracks. It’s vital to adapting security for development processes. As Gordon says in episode 13, “[it's] the only way we can continue to keep up with these very rapid development cycles. The number of developers is growing and we're never going to be able to scale with them.”
Sustainable scaling
Once your developer security program is up and running, one of the first obstacles you’ll encounter is scaling. Applications often grow rapidly, and it can be difficult to scale security and development at the same pace. On episode 23, Zach Powers (CISO, One Medical) explains that, “part of the way that [he’s] scaling is by hiring engineers who are interested in security, but really good at automation. Good at handling more of a DevOps lifestyle, and a continuous delivery environment. Those are the type of individuals that we're scaling and succeeding with at One Medical.”
The speed and pressure of modern software development means that, “if a security team is not engineering automation today, they will not scale, and they will not be able to play ball with the type of threats we face today. It cannot be done manually.” While some types of security testing still need to be done by hand, the vast majority can be automated. Powers recommends that security leaders, “ask [themselves], if your team is capable of automation, are they prioritized? Are you setting time aside for them to engineer automation? If the answer is no to that, take a step back and think about that, because that is where most security teams are going today.”
Risk and securability
The final benefit of automation our TSD guests discussed is risk management. In episode 48, Clint Gibler (Research Director, NCC Group) explained that, “security automation gives you continuous visibility into the state and relative risk of different systems.” There are many CI/CD and DevOps tools that help speed up development and release cycles, so, “if you can insert security visibility points, or hooks and checks, throughout this existing infrastructure, that can be very powerful.”
For Shannon Lietz (DevSecOps Leader and Director, Intuit), who appeared on episode 58, automating risk and complexity is the right goal to chase. “If you have a good intent and you can do resilience measurement, eventually we might be able to automate risk most of the time”, which could eventually lead to “making systems that are self-resilient.”
Automating a more secure future
Automation’s role in application development and security will only become more critical as with time. Efforts to integrate it now will help development and security teams work with greater speed, efficiency, and security.
To learn more about the role of automation and the other interesting topics covered by the guests mentioned above, listen to the full episodes of The Secure Developer Podcast. As a security podcast for developers, the backlog of episodes covers almost every security topic imaginable.