After a staggered start, the DevSecOps movement has hit its stride over the past few years. Some 90% of software development projects will claim to follow DevSecOps practices by 2022, up from 40% in 2019. But in the spirit of continuous innovation, it’s already time to move on to the next stage: SecValOps.
Just as DevSecOps integrated security into the start of the high-speed development of DevOps, SecValOps goes a step further, adding testing and validation to ensure that an organization’s security strategy can stay effective against today’s sophisticated cyberattacks. Think of SecValOps as a continuous security test to help businesses proactively manage their exposure, attack surface, and cyber risk.
New threats require a new approach
Until an enterprise security strategy has been proven resilient against real-life threats, security teams can consider it impregnable. Cybercriminals have become so resourceful, patient, and creative that even the slightest exposure foothold—whether it’s a public-facing server misconfiguration or weak password—can result in a breach. Security leaders must continually test their infrastructure for various vulnerabilities and weaknesses to increase resilience against sophisticated cyberattacks across their exploitable attack surface.
SecValOps has emerged as a foundation for security operations. Organizations begin to understand that continuous, automated testing must occur before, during, and after every new development in the threat landscape or evolution of the attack surface. It has become a must-have capability for every organization, a methodology that lets businesses evaluate, know, and remediate their organizational risk. They then can better harden and strengthen defenses, resulting in companies being unconstrained by security, but empowered by knowing where they stand at any given moment.
Best practices for SecValOps
SecValOps requires security leaders to re-evaluate their day-to-day operations, including red and blue team activities. Some of the best practices necessary to manage continual validation and vulnerability management include:
Continuous penetration testing: Security teams need to constantly validate the business CI/CD environment against real threats before “someone else” validates it for them.
Purple teams: The concept of a purple team, where blue and red teams work together, has been around for several years. Security teams should standardize them to supercharge them with actual knowledge, as opposed to assumptions about their readiness for a new security vulnerability, adversary group, or a security weakness misconfigured across the attack surface.
Stop playing patch whack-a-mole: According to CVE Details, an average organization with 5,000 employees will have three to four times the number of vulnerabilities, but only 13% of them are typically deemed “critical.” But how does the team assess criticality? Looking at a single exposure is like checking your fever once a year. Meaningless.
Without knowing which vulnerabilities are likely exploited, security teams play endless games of patch whack-a-mole—and can’t keep up. The recent Executive Order on cybersecurity from the Biden administration urges businesses to apply updates and patches promptly and hire third-party penetration testers to test security systems against a sophisticated attack. Pen tests are effective on their own, but it’s a manual process and offers only a point-in-time snapshot. An organization needs the continuous assurance of its attack preparedness that automated security validation provides.
Apply a continuous and targeted approach
Legacy vulnerability assessments with an agent-dependent architecture are no longer enough. The industry needs a broader, comprehensive approach to automated security validation, one that requires a real-life look at how an attacker will approach an environment.
Automated security validation differs from legacy vulnerability management in several ways. It offers the proper context and risk associated with the most critical vulnerabilities rather than merely identifying a vulnerability. Exposing networks to actual adversarial actions gives teams a complete attack-operation view and an accurate assessment of their resiliency; legacy systems cannot simulate an attack to the data exfiltration stage.
Automated validation also allows for re-testing capabilities and, unlike just finding a vulnerability, validates the efficacy of an organization’s readiness.
Go on the offensive
Recent attacks show that organizations attempt to combat ransomware and other attack methods when it’s already too late. Organizations need to take a more proactive approach. Companies now realize that they need more than just another layer of prevention and detection. They need the proactive approach of SecValOps.
Amitai Ratzon, chief executive officer, Pentera