Over the last twenty years we have witnessed dramatic changes in the way companies write and ship code.
First there was Waterfall, followed by the Agile movement in the early 2000’s, and now we find ourselves in the Age of DevOps. All of these changes have been made with one goal in mind: ship more code in less time. After all, time is the great equalizer for us all – and those that do more in less time will always find themselves in a favorable state.
As it relates to security, time is the hardest resource to come by. There is always more to do, never enough people to help, and hardly enough budget to purchase the tools necessary to buy more time. During those early days of security when Waterfall development reigned supreme, there always seemed to be enough time for security practitioners to stop that next push to production. The company waited 6 months (and sometimes up to a year) to deliver new features to customers – what’s another few weeks?
Moreover the Internet was just starting to pop-up in homes across the United States, and the input vectors for web applications were fairly simple. The first web application firewalls (WAF) built by Perfecto Technologies in 1999 could surely handle pre-determined sets of inputs as potentially malicious – all done through the use of rudimentary tools like regular expressions to determine when someone was breaking bad on the Internet.
Unfortunately for us security professionals trying to adapt and evolve the way we stay ahead of attackers, the underlying code that runs modern day WAFs continue to replicate the antiquated solutions that harken back to the turn of the Millennium; these newfangled “CDN-Based Web Application Firewalls” are really just regex-based technology with a new coat of paint. Moreover, when your vendor tells you “there is no need to update or patch, you’re secure!” when a new Remote Code Execution vulnerability is disclosed – be skeptical. Although their latest regex might protect you from that shiny-new Proof of Concept exploit, they certainly aren’t protecting you against the polyglot exploits that are cropping up all over the place. This gaping hole in edge-based Firewall tech does us all a disservice in trying to address our most sought after need – time.
Shifting Security and Buying Time
When it comes to buying time for your DevOps teams to finish that new feature, the best thing you can do is put your security protections as close to the application as you can – and to ensure that the data and metrics you produce are readily useful to Development, Security, and Operations teams. What’s more, you need this protection to be fast, lightweight, and reliable – i.e. not regular expressions; and moreover, you need it to block a variety of attacks beyond the OWASP Top 10 – including account takeovers, bad bots, application denial of service, and more. The only player in the space today with experience producing security results that scale in a DevOps environment, while also providing fast response times with lightweight installation and deployment is Signal Sciences. If you don’t believe me, the proof is in their ability to deliver security at speeds unmatched by their competitors – allowing development teams to focus on delivering value to your customers, and security teams to prioritize remediations during the next sprint.