Cloud Security for Developers, Part 2
In my last post I explained that the overarching goal of cybersecurity is risk management. In order to manage risk, organizations leverage governance to set policies and enforce rules. But, as I posed at the end of the post, who should set those policies and enforce those rules? Sometimes DevOps teams think they should be the ones to set the policies and enforce the rules. Sometimes developers wonder why the rules exist and if they’re necessary. This leads to a question people have asked me a lot recently:
Is a security team really necessary?
Can’t developers do the security team’s job?
I would turn this around and ask, “do you think the security team could replace you and do your job?”
How would you respond to this question? You might start listing off all the things the security team doesn’t know about your job and the skills you’ve acquired over the years by digging into the details of how the technologies you use work.
You likely know one or more software languages. You probably acquired some skills pertaining to proper architectures, performance, microservices, and maybe multithreading if you’ve been programming for years on complex systems. You’re likely well-versed in a good software development lifecycle process if you’ve ever worked for a large company with proper operations for smooth deployments and deliverables that meet business needs and objectives. You may have even learned to automate your cloud infrastructure.
So what about security? You may understand how an S3 bucket can be misconfigured (which still happens — see the recent Twilio breach) and how to set IAM policies. But do you know how attackers manipulate network packets, creating tunnels to exfiltrate data or pass commands through your network undetected in payloads or network protocols? What about phishing and social engineering attacks that look like valid requests such as those that just affected Twitter?
How about web shells, DNS rebinding, and SIM swapping?
Do you understand cryptography flaws caused by different encryption modes and how ARP spoofing and trunking misconfigurations can affect the network devices you use to connect to the cloud?
Are you aware of how fileless malware and kernel-mode rootkits infect processes on your system in such a way that you can’t tell they’re there by looking at the tools your OS provides? How would you spot a hardware vulnerability exploit that you can’t see by looking at your operating system?
Do you understand proper network architectures and why they exist? And no, they do not exist to make your life complicated.
Do you really know the OWASP Top 10 (which is only the top 10 of many other types of software attacks), and all the threats in the MITRE attack framework, to name a few lists you can review for potential attacks? Are you sure your system isn’t vulnerable to any of them?
Have you had a penetration test recently? On every recent pentest, I’ve found flaws and delivered lengthy reports outlining security problems in cloud accounts — most over 100 pages with supplemental details upon request. Are you aware of, and do you understand all the findings? Were they fixed? Are your systems fully patched, and all your infrastructure aligned with the CIS benchmarks and other cybersecurity best practices?
What about threat modeling, monitoring, hunting, and intelligence? Are you well-versed in all the latest breaches and attacks on other companies? Can you reverse malware with a disassembler? Do you know how to perform breach analysis with proper chain of custody and what to do in the case of a cyber incident to minimize the cost of a breach through appropriate handling of logs and records?
Can you work with law enforcement and your company’s legal team to ensure the best outcome for your company in case of a breach (which likely will happen at some point)? Can you capture system memory in the event of a system compromise and analyze it to determine what happened?
How about deciphering network packets and translating from hex to a human readable format? Can you configure and monitor a network and host-based IDS or IPS and update the rules as new threats arise?
Do you understand what compliance regulations your organization must adhere to, or else face fines or other penalties? Do you know what APTs (advanced persistent threats) are, and are you familiar with the different groups around the world and their objectives, which vary by country and crime organization? Are you aware of which ones might target your organization, and why?
Those are some of the things security professionals may learn through years of training and research. Discounting the need for a security team without understanding the knowledge they have is akin to thinking you can be a doctor without going to medical school. If you want to be an expert at something at a deep level, you need to drill in and focus on it, probably for many years to come even close to expert level. The more of an expert you want to be, the deeper you need to dive.
Often people say they learn how much they don’t know when diving deeper into a subject, rather than thinking they know everything. I certainly feel this way after 25+ years of software engineering, with a master of software engineering combined with almost as many years of security research and a master of information security engineering. I have many security certifications, including the GSE, one of the hardest security certifications to obtain in the industry. And even with all that, I know there is so much more to learn in both fields! I can’t squeeze it all into my brain or learn all the new things I want to know fast enough. I have great respect for experts with more in-depth knowledge than me on specific topics in both fields.
Knowing how to implement cloud security controls is not the same as designing a secure system architecture that prevents cyber attacks. And that’s only half the story. After deployment someone needs to monitor the systems for cyber attacks or data leakage. Typically you want a separate team for this, because what happens if the cyber attacker is someone on your development team? The security team may not have access to make changes in the environment and may act as an auditor.
Someone also needs to handle the legal and governance issues mentioned in my first post. Many different job functions exist within the realm of cybersecurity and people often specialize in a specific domain.
So should developers forget security and leave it to the security team? Definitely not! Developers shouldn’t be forced to do a security team’s job, but they still have a critical role to play in cybersecurity. In my next post I’ll explain why developers are crucial for improving future cybersecurity outcomes and preventing data breaches.