Focus on Security First, Before Coding the Next Feature Set

Before you start working on the next set of product features, I implore you to do a security assessment.

As we were about to run through a roadmap planning session recently, I got to thinking about the earlier days in my career. Back then, the list of things that needed to be built just to get a viable product on the market was overwhelming and seemingly never-ending. Everyone feels that way at the beginning of a development project, and often the things that can’t be seen by customers and end users – like security – get pushed to the bottom of the backlog.

Because we are a security company focused on delivering industry-leading security to the enterprise, we start monitoring for and fixing security bugs early in the development lifecycle. However, we work with organizations each day that are a few years into building their products and running in the cloud, and security is only now becoming a priority. Don’t get me wrong, I’m thrilled that security made it to the top of the priority list; I just wish it happened sooner.

Here are some of the lessons learned from years of working with Dev and DevOps teams.

There are always critical risks

No matter how careful you are, there are always high-priority security risks and bugs introduced into your cloud ecosystem. Recent analysis by Unit 42’s cloud research team has determined that 29 percent of organizations have potential account compromises. Sure enough, since May 2018, we have seen multiple high-profile breaches resulting from this emerging threat vector. We’re just human, and we get distracted. Or we miss checking a box or forget to copy over a block of code this one time. It’s okay to make mistakes; they just need to be fixed. Even the best, most security-minded teams end up with open SSH ports, misconfigured security groups, or haven’t turned on multi-factor authentication for their cloud accounts. It’s important to do the necessary checks and get these things fixed.

Start early in your development lifecycle

Security needs to be checked all along the way. If you catch risks early, development won’t have to go back, unravel and perhaps rebuild too much, thus leaving you time to get to more of that feature list. I’ve seen too many product timelines get derailed because critical security flaws were found too late in development, causing months of delays, along with lost productivity and revenue. We always advocate having different cloud accounts for dev/test vs. production. You want to be able push code and spin up the infrastructure and cloud services as you will run them in production so you can be sure you’ve got all the security groups and access controls configured correctly. (That’s just one example – there are dozens of things to check for along the way.) This way, when it is time to deploy to production, it is a much smoother process; and you can have some confidence that your cloud environment, your product and your data are secure.

Hackers have automated their hacks – it’s time to automate security

Just like Dev and DevOps have automated processes to move faster, so, too, have the hackers. They can scan entire regions in less time than it takes you to install the latest Microsoft update. That means that you have to be diligent about your security hygiene. Security automation helps by continuously scanning and assessing all your infrastructure settings, so if a bug or risk is introduced, you can remediate the issue fast – before the hackers find it. With the right tools and a little bit of dev time, you can automate security policy enforcement so you can nuke high-risk services before the hackers find the open door.

As our thoughts turn to the next feature set we’re going to build into our respective products, I’ll make just one last argument for putting security at the top of your list, too.  Whether you’re building for B2B or B2C, customers are getting more and more savvy to both security and privacy best practices. Building in strong security components and implementing security automation could be among the most attractive and differentiating features you develop this year.

RedLock® public cloud security and compliance service, part of the Palo Alto Networks Security Operating Platform, provides a focused cloud console for monitoring the security and compliance states of your Google Cloud Platform, Amazon Web Services and Microsoft Azure® environments. Learn more here.