Security: The missing ‘golden signal’ in world-class observability
Global ratings agency Standard and Poor's (S&P) delivered a sobering message to the Asia Pacific business community in September to start factoring financial institutions' responses to cyberattacks into their creditworthiness.
Simply put, S&P could downgrade a bank's credit rating for failures in their cyber responsibilities.
Data breaches and ransomware are on the rise across the region, with high-profile cyber attacks garnering daily headlines.
In Australia, the country's second largest telco was hacked in recent months. The personal data of nearly 10 million customers were compromised, and the incident is expected to cost the carrier at least AUD $140 million. In Singapore, ransomware cases increased 54% between 2020 and 2021 and just a few weeks ago, the island state's Cyber Security Agency convened an inter-agency Counter Ransomware Task Force to battle such threats.
Securing modern software systems is highly challenging and these interminable cyberattacks demand a swift mindset shift. Applications consist of thousands of components that carry critical security vulnerabilities and risks–leading to data loss, IP theft and reputational damage. Unfortunately, most vendors have built security mechanisms for security professionals, not for developers.
As a result, engineers are conditioned to outsource the responsibility of security flows to the security team, thus passing on the burden of identifying any vulnerabilities.
What engineers need are sufficient signals with controls and policies in place so they won't be able to merge code unless set security thresholds are met. This would bake security into the development process.
Observability is uniquely positioned to offer visibility of the complexities within a modern system architecture and help identify an actionable path to remediate issues. Traditionally, there were four golden signals of observability – response time, throughput, error rate, and saturation. What's noticeably missing is security.
Here are three key tips on how to successfully embed security into the development process, which can help protect company reputation, plug security gaps and ultimately protect customer data:
1. Make security a golden signal
Security vulnerabilities in an organisation's infrastructure and software can have far-reaching consequences. By measuring the security posture as a core component of the organisation's observability platform, engineers can effectively eliminate data and team siloes, and avoid security blind spots present in today's production and non-production environments.
These additional steps might come across as overbearing for engineering teams but it means issues can be detected in pre-production environments, not after they've been deployed in production. Afterall, if the software runtime isn't meeting security thresholds in pre-production environments, there is no good reason to allow deployments to proceed to production.
2. Integrate security tools for enhanced visibility
Engineers will struggle to make informed decisions on their security posture without the full picture. By integrating and correlating security signals from third-party security tools into the observability platform, engineers will have visibility into security issues from a single platform. This allows teams to consolidate and prioritise remediation efforts in real time, and gives them visibility and context-driven security analysis across the entire software stack that identifies live vulnerabilities deployed across all environments.
Organisations should use observability platforms that allow engineers to easily aggregate existing security signals from other providers' security tools into a central view, so engineers can address vulnerabilities at any stage of the software development lifecycle using a single source of truth.
3. Encourage cross-team collaboration for optimal security posture
Identifying and fixing vulnerabilities before they impact the business requires collaboration across teams. By breaking down departmental barriers between security and engineering, teams can successfully track and report on security vulnerabilities at an organisational, team, application or individual component level.
Vulnerabilities can be automatically correlated with the software architecture to assess the surface area exposed by the vulnerability. This can help them prioritise the most critical risks quickly, creating work items for developers that prioritise security over other initiatives.
A unified experience
Combining security with observability enables teams to stay ahead of security issues and focus on innovation rather than risks. By correlating infrastructure and software runtime security signals into the observability platform, engineers can track the security posture and dependencies across the live software stack. It's time to remove the noise and mitigate the friction between developers and security teams by incorporating security signals into the developer experience.