![\"\"](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/header-security.webp\")
<\/p>\n<\/p>\n
This article is based on my Microsoft Build 2022<\/a> session ‘Securing Applications’. I only had 15 minutes allocated to speak – this is what I squeezed in and delivered!<\/p>\n As organisations navigate digital transformation \u2013 there is no topic more important than <\/strong>defending yourself from attack.<\/strong><\/p>\n Security is a complex topic because its wide ranging and has many facets, and therefore needs different skills and roles to be involved.<\/p>\n To be successful, organisations must eliminate the silos between the different teams and embed a security first culture into their processes and tooling.<\/p>\n Security is about protecting an organisation to ensure the resilience and continuity of its business operations.<\/p>\n A subset of security is Information Security (infosec). Infosec is about the protection of data and associated applications, and it’s so critical for the ongoing existence and success of an organisation.<\/p>\n There are three areas at the core of infosec \u2013 these are:<\/p>\n Whilst infosec is often associated with defending against malicious attackers, it also needs to consider other types of events that can cause loss, such as \u2018acts of god\u2019. For example a lightning storm which might cause a power outage and bring down systems\/corrupt data.<\/p>\n It’s also about making sure everyone does the right things and that those things are right. For example, there is no point having a manual backup policy if people aren’t doing it regularly in accordance with the defined schedule.<\/p>\n Cybercrime is a global threat and huge industry. Bad actors will attack organisations of any size, whatever their purpose. In most cases the motivation is financial gain, but some have political objectives and others just enjoy the challenge of causing mayhem and getting publicity.<\/p>\n Exploits are traded on the dark web at low cost, enabling less skilled people to be involved in malicious activity and swelling the number of attacks.<\/p>\n It’s often the case that exploiting just one vulnerability can open the door and provide a stepping stone into a network. An attacker can then move laterally through the network and systems to unleash further wide-ranging hostile actions, ultimately impacting the confidentiality, integrity, and availability of data.<\/p>\n Bad actors do bad things:<\/p>\n The following is the Attacker\u2019s Advantage and the Defender\u2019s Dilemma:<\/p>\n This problem can be compounded when there are huge numbers of attackers targeting the defender.<\/p>\n A key part of information security is the practice of protecting systems\/data by mitigating risks. The risk management process identifies risks, and for each risk the following is assessed:<\/p>\n This process will result in a register of risks with a wide spectrum of ‘level of concern’. It’s then a business decision, based on their appetite for risk, to decide how to address each risk \u2013 the options are:<\/p>\n This will be an iterative process, so that the results of ongoing monitoring are fed back into subsequent cycles of the process.<\/p>\n We can reduce risk by doing the right things, and this breaks down into four distinct categories:<\/p>\n Security starts with the design before any code is written.<\/p>\n The design will transform user requirements into an architecture containing the platform components and software modules to be developed, and will define how they interact.<\/p>\n Threat modelling is done by people with a mindset that will think like an attacker rather than a defender. They will use a threat modelling methodology to tease out flaws in the design \u2013 which can then be addressed early, when they are relatively easy and cost-effective to resolve.<\/p>\n Zero Trust is a response to the way networks have changed. We used to have an internal network and an external network with a firewall between to keep the bad guys out. Today, your trusted people are working on untrusted networks, and most likely there will be untrusted people on your trusted networks. Today you have to protect resources and not network segments.<\/p>\n The core principal is that everything is a threat – don\u2019t trust anything or anyone at anytime until identity has been fully verified and you have a high level of assurance that it is what it claims to be.<\/p>\n Identity is key and has become a popular attack vector. Do not reinvent your own identity – instead use industry standards and products\/services from specialised organisations that have invested substantially in this and have offerings that are battle proven.<\/p>\n Data Classification is knowing your data \u2013 is it Highly Confidential, Confidential, Public, Business or Non-Business? Protect personal identifiable information (PII) because the Data Protection laws and regulations around that can impose heavy fines for any breach.<\/p>\n Confidential data should always be protected using encryption when sending over the wire or when stored at rest.<\/p>\n This is about your code and external code \u2013 namely open source.<\/p>\n Use code scanning tools to ensure submitted code is high quality, safe and reliable \u2013 and conforms to best practice. You can do this with automated code reviews, that previously peers would have done.<\/p>\n Static code analysis tools helps identify areas in which areas of the code under analysis is suspect and may be compromised.<\/p>\n Secure your secrets and put in the source code. Once application source code is loaded into source control, it can spread widely and potentially be read by many. Secrets – like API keys, security tokens, certificates and passwords – are extremely sensitive as they open doors, so they must not be embedded into source code or they will leak. Put such secrets in a safe storage service and then get the application to retrieve them at run time.<\/p>\n Software Composition Analysis tools should be employed to analyse the dependency graph and keep an inventory of third-party components being used to build applications. More on this later when we discuss the software supply chain.<\/p>\n For private development, store source code in well-secured code repositories. Fully understand your branch management so you know what code is in dev\/test\/production, and have processes for hotfixes.<\/p>\n When using cloud there are shared responsibilities for securing the environment. The cloud vendor will handle the physical security but the users must secure their own environments and resources. Analogy is a castle – doesn\u2019t matter how high the walls are or how many crocodiles are in the moat around the castle \u2013 if you leave the drawbridge down then an intruder can easily walk in.<\/p>\n Access controls are used to impose rules on who can access what and what level of access they have. Dev environments may be more relaxed, but access to production environments should be strictly controlled and limited. Access controls need to combine with a strong identity foundation and use features such as conditional access, multi-factor authentication, just-in-time and just-enough-access (JIT\/JEA).<\/p>\n Policy services are used to centrally set guardrails throughout your resources to help ensure cloud compliance, avoid misconfigurations, and practice consistent resource governance.<\/p>\n ‘Infrastructure as Code\u2019 is the practice of keeping infrastructure topology specified in scripts\/templates and are stored in version control – in a similar fashion to the way developers manage code and deploy solutions. It then enables consistency, quality, repeatability and accountability of the configuration.<\/p>\n Network security controls and devices may be implemented to mitigate against various known attack vectors. Application security often involves discussion around networking such as firewalls, gateways and load balancers \u2013 ensuring the infrastructure is locked down from certain types of network attacks.<\/p>\n Patching ensures all known vulnerabilities in virtual machines and operating system instances are resolved. If you’re using PaaS then it’s not an issue, as it’s handled automatically\/transparently by the underlying system. But it’s still a relevant topic in some cloud-native services \u2013 such as if using Kubernetes.<\/p>\n Operations are responsible for managing the live environments – their duties can be summarised as Protect | Detect | Respond. It’s important that response actions are scripted and so can be triggered as needed, as opposed to having to think and act on the fly\/under the pressure of a live incident.<\/p>\n They must monitor everything that is happening and should be looking for the unexpected events or failures, and should it happen implement incident response protocols to take the appropriate preventative measures or contain any damage.<\/p>\n Threat intelligence is knowing the latest security landscape and possible threats, and so can help by planning in advance how to respond. It’s the need to avoid surprises and the unexpected.<\/p>\n After any incident, forensics and root cause analysis should be done – in particular to determine if there is any compromise to the confidentiality, integrity and availability of the data and associated applications.<\/p>\n And finally there’s business continuity – having processes in place to keep the business running during major disruption or disaster, such as earthquake, power outage, fire, cyber attack, etc.<\/p>\n There’s a lot here and this wasn\u2019t an exhaustive list of all things to do, but it highlights the variety of skills needed. The only way to be effective and achieve success is to automate as much as possible.<\/p>\n Embrace Everything as Code changes the focus from manual, repetitive tasks to workflows based on end-goals and desired states. Store things like configuration rules in version control \u2013 so enabling that consistency, quality, and accountability that DevOps offers.<\/p>\n Open source is software made available with source code that anyone can inspect, modify, and enhance. It’s provided with a license that dictates how the software can be used, for example it might impose commercial restrictions or mandate that any modifications must also be shared back with the community.<\/p>\n It’s important that organisations understand and mitigate against the risks of open source. When an open source library is imported\/used, then all the dependencies that library uses is also included and there could be many levels of dependencies resulting in the use of considerable amounts of software from unknown sources.<\/p>\n Infecting popular open source libraries with malware and vulnerabilities is on the rise – this is known as a software supply chain attack. It can wreak maximum havoc as the malware will be further distributed to all users of the software that includes the library code.<\/p>\n Software Composition Analysis tools should be employed to analyse the dependency graph and keep an inventory of third-party components being used to build applications. These can then provide ongoing monitoring to:<\/p>\n Such tools can help software vendors document their Software Bill of Materials (SBOM) which lists any components, libraries and tools used. There has been discussion that future legislation may force software companies to make SBOM declarations public.<\/p>\n DevOps is the engine that drives innovation \u2013 and reduces the time to deliver value.<\/p>\n A DevOps approach enables organisations to develop, deploy and improve products at a faster pace than they can with traditional software development approaches.<\/p>\n But DevOps is not just a product \u2013 it requires a culture of collaboration that is critical for DevOps to be successful.<\/p>\n In DevOps, we often discuss the inner and outer loop. The inner loop is the iterative process that a developer performs when they write, build and debug code. The outer loop is the build\/deploy\/monitoring and then driving the plan for subsequent development.<\/p>\n DevSecOps is the evolution of DevOps. It focusses on integrating security practises within the DevOps inner and outer loops to create a security first culture.<\/p>\n Furthermore, it mandates a shift left mentality – that is addressing security in the earliest stages in the development lifecycle. So not only is the development team thinking about building a high quality product efficiently, but they are also implementing security as they go.<\/p>\n Addressing security earlier will improve the robustness, saves costs and accelerates delivery.<\/strong><\/p>\n As organisations navigate digital transformation \u2013 there is no topic more important than defending yourself from attack.<\/p>\n","protected":false},"author":430,"featured_media":62556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"categories":[594],"post_tag":[1908,199,519],"content-type":[],"coauthors":[1628],"class_list":["post-62397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technetuk","tag-events","tag-security","tag-technet-uk"],"yoast_head":"\nInformation Security<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/infosec.webp\")
<\/p>\n\n
\nunauthorised modification.<\/li>\nCybercrime<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/cybercrime.webp\")
<\/p>\n\n
\n
Risk Management<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/riskmanagement.webp\")
<\/p>\n\n
\n
\n
Secure by Design<\/h3>\n
![\"Four](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/securebydesign.webp\")
<\/p>\n\n
Secure The Code<\/h3>\n
![\"Four](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/securethecode.webp\")
<\/p>\nSecure The Environment<\/h3>\n
![\"Four](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/securetheenvironment.webp\")
<\/p>\nSecure The Operations<\/h3>\n
![\"\"](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/securetheoperations.webp\")
<\/p>\nAutomation<\/h3>\n
![\"Four](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/automation.webp\")
<\/p>\nSoftware Supply Chain<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/softwaresupplychain.webp\")
<\/p>\n\n
DevOps<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/devops.webp\")
<\/p>\nDevSecOps<\/h3>\n
![\"A](\"https:\/\/www.microsoft.com\/en-us\/industry\/blog\/wp-content\/uploads\/sites\/22\/2022\/06\/devsecops.webp\")
<\/p>\nLearn more<\/h3>\n
\n