In our exclusive series of Interviews with Business Leaders & Experts, Today we are interacting with Kartik Shahani, Country Manager, Tenable India. Kartik discusses insights on how DevOps can tackle the security challenges of the weak software supply chain that were exposed during the infamous SolarWinds attacks.
Interview – Kartik Shahani, Country Manager, Tenable India
Q1. The SolarWinds attack has presented itself as a massive threat to end-users and developers. This well-executed attack shows that the threat actors remained hidden in the system for months, and built a comprehensive picture of SolarWinds infrastructure and product development processes, before injecting a malicious code into the Orion software update. What can the industry learn from such a large-scale supply chain attack?
The SolarWinds attack made the world aware of how every aspect, from endpoints to domain controllers needs to be configured with least privilege access from the OS level to third-party services in the supply chain. If least privilege equals a level of privilege that can make changes in Active Directory, then additional steps must be taken to protect these accounts.
The hardest lessons to learn are sometimes the easiest ones. The SolarWinds attack made one thing clear: cybersecurity must be proactive, not reactive.
Traditionally, security is implemented at the end of the build process and it’s too late to detect and remediate an attack. SolarWinds is a reminder of why organizations need to establish Infrastructure-as-Code as a baseline for DevOps and security teams, improve collaboration and ensure DevOps satisfies security requirements. It can be challenging for developers to identify and mitigate vulnerabilities at the time of writing code. Organizations need developer-first security solutions that are compatible with their workflows and automatically detect and resolve vulnerabilities introduced in their build pipelines before cloud apps are deployed.
Q2. The major issue with supply chain attacks is not the code being developed, but rather the open-source libraries, containers and other codes that are pulled from the internet. How can developers ensure such libraries are scanned for loopholes or malicious code?
Most cloud applications that organizations use contain code that is taken from open source libraries. Vulnerabilities and cloud misconfigurations in these third-party dependencies, pose significant security risks. If one of these dependencies has a vulnerability, then organizations using the code will become vulnerable to attacks.
Security teams have very little control over vulnerabilities that exist in cloud apps. This is because vulnerabilities are introduced by developers, and developers are the ones that remove vulnerabilities by implementing code changes. Once security teams find vulnerabilities that need to be remediated, they have to go through a long-drawn process of convincing a developer that it really is a vulnerability, it really needs to be fixed immediately. Then, they need to determine the best way to fix it as most developers are not security experts.
With security-as-code, security is embedded into DevOps tools and workflows by mapping out how changes to code and infrastructure are made and finding places to add security checks and tests. Teams could use SaC tools to enforce compliance throughout the development process, eliminating all meaningful security risks before cloud apps are deployed. It could also ensure the app is enforced securely at runtime as well.
Q3. What is Security Workflow Automation? How can it help average developers improve production efficiency?
Security automation is the machine-based execution of security actions. These tools have the ability to programmatically detect, investigate and remediate cyber threats either with or without human intervention. Security automation identifies incoming threats, triages and prioritizes alerts as they emerge and then responds to them in a timely manner.
It eliminates repetitive tasks and gives security teams time to focus on important tactical and strategic work. Not all organizations have the capabilities to build automation in-house, which is why they can turn to platforms that perform security automation. This will help connect your systems, tools, and processes, allowing organizations to leverage automation without the hassle of setup and configuration.
Q4. It’s now clear that DevOps has become mainstream, as more than 96% of organisations are implementing or planning DevOps to improve their time to market for new services. But implementing security after the DevOps Cycle is proving to be counterproductive. How can DevSecOps change this?
Traditionally, security teams often detect vulnerabilities at the end of the software development cycle. This approach is counterproductive to the speed-to-market strategy resulting in wasted coding time. Instead, a “DevSecOps” approach integrates security from the beginning of the development process. For a long time, security teams have been viewed as imposing roadblocks in the software development cycle. This no longer has to be true if security, development and operations teams work together to identify security tools that are developer-friendly.
Security tools are now expected to protect applications in a wide range of environments. And as production environments move to the cloud, a DevSecOps approach can help teams focus on problem prevention, rather than late detection of the problem. This helps both DevOps and security teams work more efficiently and effectively.
Q5. In DevSecOps, security teams are becoming more consultants and developers are taking a major role in deploying the security practices during application development. Could this transformation of roles hurt the development cycle?
Previously, security teams decided on the use of security tools that hindered quick deployment. Including DevOps in the security tool selection process has led to greater adoption of developer-friendly security technologies. That said, the goal of security teams has not changed, only the criteria for selecting a security tool has changed.
When traditional approaches don’t work, it’s a sign to switch to a new approach. The same goes for legacy tools that remediate issues in runtime, which not only slows down development but can lead to maintenance issues, such as configuration drift, or any number of unidentified issues. This only creates pressure on DevOps and deployment teams, which ultimately slows down the ability for engineering teams to release new features in a timely manner. Ensuring all parties — Dev+Sec+Ops have a say in what tools will make their task easier, is a better approach. This approach identifies and remediates issues before deployment.
Q6. What are the tools or services Tenable has to offer to efficiently implement DevSecOps for different sizes of organisations?
Tenable announced new capabilities for Tenable.cs, its cloud-native application security platform. Tenable.cs allows organizations to programmatically detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of the Software Development Lifecycle. Tenable.cs has the ability to automate manual processes in security and operations. A developer-friendly platform, it enables the DevOps team with a security syntax check for Infrastructure as Code, assessing Terraform and Kubernetes scripts for issues. Our tools help organizations of all sizes implement DevSecOps as any fixes are a simple merge request.
About Kartik Sahani
Kartik Shahani is the Country Manager for Tenable in India. Based in Mumbai, Kartik has over 30 years of experience in the IT industry, driving momentum for enterprises. He spearheads initiatives for Tenable in the enterprise security market, manages operations and continues efforts towards channel activities in India.
Kartik has extensive experience in telecommunications, finance and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India. Kartik previously worked in RSA Security, a division of Dell EMC, where he was Director for Channel in Asia Pacific and Japan. Prior to this, he was the Executive Director of Integrated Security for India and South Asia at IBM.