Author: Circadence

National Cybersecurity Awareness Month  (NCAM) in October reminds us of the importance of being safer online in both our professional and personal lives. By employing fundamental cybersecurity best practices, ALL professionals from the C-Suite to the Administrator can better safeguard against ongoing threats infiltrating and exploiting systems and data every day.

The overarching theme of NCAM includes having a “shared responsibility [of cybersecurity] and we all must work together to improve our Nation’s cybersecurity.” Circadence couldn’t agree more. We are excited for the future of cybersecurity given the advancements in AI and machine learning and Natural Language Processing, all of which are features available in our cyber solutions focused on workforce readiness, cyber training and assessment, cyber ranges, cybersecurity awareness, and cyber competition/event support.

Turning Awarness Into Action

During this month of awareness, Circadence is hyper-focused on its commitment to continue providing resources and tools to automate and augment the cyber workforce to accomplish the goal of increasing cyber resiliency across all organizations.

While NCSAM is entering its 15th year as an annual initiative, Circadence has been using its history in online gaming to develop innovative solutions that help businesses defeat evolving cyber threats. We’re proud to contribute to the cybersecurity of our nation through unique training, assessment and education platforms that together, help non-cyber professionals and seasoned cyber managers become better offenders, defenders, and governance leaders.

It’s not just about raising awareness of cybersecurity practices; we are at a time where it’s equally important to take that awareness and use it to ACT. In the current state of cybersecurity, every business, academic institution and government organization is and continues to be vulnerable. Regardless of how many cyber teams are on the frontlines protecting your organization, regardless of the stringency of policy and procedures in place; regardless of frequency of system updates and access controls, hackers are determined, intentional, strategic and leveraging technology to manipulate a company’s data, liquidate valuable assets or finances, and ruin their reputation and public trust. Therefore, we, as cyber and non-cyber professionals, too, must be determined, intentional, strategic and continue to leverage technology to automate and augment the cyber workforce so they can stay one or two steps ahead of hackers.

Educating and upskilling professionals to improve cybersecurity awareness

We understand the challenges facing cybersecurity experts are insurmountable. From staffing shortages to skill deficits to budget constraints and overworked cyber teams, it can appear there’s minimal hope for improvement. We are changing that with our suite of solutions designed to place PEOPLE at the forefront of cybersecurity readiness. We believe the experts who control the advancing technologies used to prevent cyberattacks are the key to strong infosecurity environments.

This month is a time for cyber professionals and CISOs to explore new ways to modernize their cyber readiness strategy and upskill their cyber teams and non-cyber professionals. Circadence has two solutions to help: Its gamified training and assessment platform Project Ares®  is one solution that CISOs can leverage cost-effectively to better prepare their organizations to protect against cyberattacks and elevate visibility to the C-Suite of the value of building and sustaining a strong cybersecurity posture.

Likewise,  inCyt® is a game-based concept designed to educate non-cyber professionals on fundamental cyber offense and defense strategies in a fun and engaging way. The first of its kind, inCyt’s ability to educate the entire workforce through gamified activities that challenge opposing colleague’s infrastructure using phishing, botnets, and spyware disrupts the stale learning approach in the marketplace.

Finally, we have produced a series of whiteboard videos focused on the fundamental concepts of cybersecurity, both demystifying terminology and debunking processes to further our mission of cultivating an “all hands on deck” cyber culture. Visit our YouTube channel to view these videos. While National Cybersecurity Awareness Month is in October, the awareness and application of modern practices should continue throughout the entire year, so we don’t forget the value of a strong cybersecurity posture AND keep pace with imminent threats.

Let’s celebrate, educate, assess, and adopt modern cyber training practices year-round!

Voting is the crux of what we refer to as an American Democracy. Since the 2016 elections in the United States, numerous reports have cited concerns of vulnerabilities in the voting ecosystem, detailing attempts of foreign interference by organizations such as the Russian government to exploit election results with pervasive cyber attacks.

To assist in securing critical infrastructure and preventing cyber attacks, Congress provided federal funding under the recent 2018 Consolidated Appropriations Act Election Reform Program, authorized by the 2002 Help America Vote Act (HAVA) . This funding grants states additional resources to make improvements in election cybersecurity. Failure to negate election interference will only perpetuate future cyber attacks, which will lower voter confidence in the democratic process and impact on voter turnout.

Now more than ever, election security officials need to revisit their voting systems to leverage this newfound funding and better secure the human element that often causes cyberattacks. While the cyber attack surface of election systems is extensive due to the more than 8,000 jurisdictions in counties, states, and cities that maintain election infrastructure, there is one constant in the elections security system that can be leveraged—humans. With individuals and teams informing the entire voting process from voter registration to casting votes to reporting outcomes and auditing, humans are a key part in managing and directing both digital and manual processes.

If election security professionals can be better trained to understand how to stop cyber attacks using their own tools in emulated environments, the state of election cybersecurity will be greatly improved.

We’ve detailed three ways for election security officials to upskill their cybersecurity teams in spite of the variability in equipment and process.

Adopt a Continuous Learning Approach to Election Cybersecurity

In previous Circadence blogs, we’ve shared the benefits of a continuous learning approach , and there’s a reason for it—if cyber teams cannot keep pace with evolving adversary techniques and tactics, they won’t know how to stop them from causing mass damage. Learning basic cyber skills as well as how adversaries are using social engineering to influence election campaigns will help state, local and government election officials be better prepared to identify and respond to cyber attacks on voting systems.

Unfortunately, there have been documented instances of untrained personnel who have knowingly and unknowingly jeopardized the security of elections thus far. Notably, one of the first cryptic signs of cyberespionage came when a Democratic National Committee (DNC) help desk contractor ignored repeated calls from the FBI who were reporting a cyber threat from a computer system hack conducted by a Russian group referred to as “the Dukes28.” The article notes the contractor “was no expert in cyber attacks,” and couldn’t differentiate the call from a prank call.

Fortunately, with the passing of the Election Reform Program, now is the time for election cybersecurity professionals to dedicate the resources necessary to address all aspects of cybersecurity that affect a strong cyber posture. This includes:

• having the proper equipment and security protocols in place
• employing a trained team who can identify and combat threats quickly
• deployment of cyber resilience when attacks do occur, and much more.

Analyze Previous Attacks to Understand Adversary Techniques

It is insufficient to solely analyze the specific cyber attacks from the past few years, but it is still important to see and understand the tactics and vulnerabilities exploited, particularly since electronic voting machines are not upgraded often. Two cyber attack groups, Fancy Bear and Cozy Bear  are worth investigating further since their methods have been analyzed in detail already. From using fake personas to deliver stolen emails and documents to journalists, to the use of malware and spear-phishing, adversaries were able to access an operational infrastructure, implant the agent and encrypt communication to silently exfiltrate data remotely.

Understanding adversary techniques like this can inform how cyber teams train for future cyber attacks. Election officials can begin to assess the skill level of their teams and all involved in the election process to get a sense of their capabilities and how they would approach a “Cozy Bear 2.0” for instance.

Participate In or Host Tabletop and Live Fire Exercises

Recently, Circadence used its Project Ares platform to help the City of Houston simulate a realistic cyber attack exercise to help public and private entities better prepare for an attack scenario. Emergency response simulated a cyber attack on transportation, energy, water, and government sectors while senior leaders worked directly with technical professionals to develop timely responses. This type of collaborative approach could be undertaken in every voting jurisdiction to test election systems.

There will always be risks, but cities and counties are realizing that the key is getting ahead of the cyber attack and to develop effective cyber readiness policies and procedures, realistic virtual training environments can help. Running through these cyber exercises with multiple players helps leaders see apparent gaps in offensive and defensive techniques while reaffirming the practices that must take place to secure any type of infrastructure.

As election security officials plan for new ways to leverage the HAVA Election Security Fund to improve processes, they will be pressed with justifying expenditures while also demonstrating that said security measures have indeed improved. The above recommendations will make elections safer and likely contribute to the restoration of public confidence in our democratic process.

The more focus election security officials place on upskilling their cyber teams with 1) continuous learning approaches, 2) analyzing past cyber attack methods, and 3) participating in realistic training events, the more effectively they reduce human error as a dominant source of cyber attacks.

We’re constantly learning at Circadence. Learning what’s new and effective in cyber training. Understanding what our customers need and want in a cyber training platform. Discovering the issues that still keep them up at night. Learning how to improve our products to meet demands of a dynamic industry. What continues to emerge in our research are three pieces of advice (below) that direct CISOs to a place where they’re confident in their level of cyber awareness, which allows for better collaboration with their team and business stakeholders, and creates stronger protection for their organization against evolving cyber threats.

ASSESS

CISOs know the first step in having better cyber awareness requires an understanding of how to measure security . There is a need for the ability to assess the current state of cybersecurity in the organization. Now, this may not include a need to “assess” their current staffing quantity (especially if it’s just plain lean). However, they can assess other things that keep them up at night. Things like unpatched systems, outdated applications, BYOD security and IoT threats, etc. Or they can look at current access controls to see who’s using what and when and how. They can assess past breaches (if applicable) to understand what happened and how it was resolved. Or assess how digital and physical security policies are being followed by taking informational polls or facilitating interviews with authorized personnel. All of these things will help CISOs understand the basic warning signs and best practices for keeping the company safe.

ALIGN

Your infosecurity vision, mission, and goals should align with the company’s overall business objectives. The goal is to support the business, not stand separate from it. Currently, CISOs spend most of their time responding to threats instead of taking a “big picture” view of their department. As a result, it becomes difficult to collaborate with business leaders to define and assess their level of cyber awareness. Not to mention report and communicate the overall effectiveness of the strategy. This lack of visibility to the C-Suite stifles the perception of organizational risk and security. To expand perceptions, CISOs can begin aligning with the C-suite by providing 1) practical knowledge of the current threat environment, 2) demonstrating how their cybersecurity strategy reflects business objectives and 3) working with stakeholders to build out a data risk dashboard that reports on progress.

ACTIVE LEARNING

Active or adaptive learning is when individuals learn by doing. Research shows it helps learners be more engaged, empowered, excited, and shows they possess deep, conceptual understandings of topics learned. Active learning  may involve collaborating with teams and applying concepts to real-world exercises/scenarios, which studies show improve retention rates by 75%,  compared to 5% through traditional learning methods. As a result, organizations are finding ways to use active learning to cultivate a successful workforce. In fact, the Association for Talent Development’s “Personalized and Adaptive Learning” whitepaper  reported that 83% of its respondents used some degree of personalized learning among their staff. In particular, cyber pros have begun implementing this method in the form of gamified cybersecurity training .

CYBER AWARENESS CONTINUED

These three action-items are just the tip of the cyber awareness iceberg, but, when faced with a challenge, the hardest part is getting started.

We hope our research saves you time in identifying strategic next steps so you can focus on finding the right tools and technology  to help you create a culture of cyber awareness that thrives in the face of evolving threats.

If you are familiar with recent news reports about security incidents and threats, you’ve probably heard of the ‘dark web’ or the ‘darknet.’ In fact, you don’t even need to pay attention to the news. TV shows, movies and even social networking sites will introduce the terms to you. The problem is, there often isn’t any explanation about what those terms mean. Likely, the people using them have no idea what they mean. Understanding what they mean can help you better protect yourself, as well as having an idea of what is going on in these news reports. To get there, though, we’re going to take a quick journey through history.

A Brief History of the Internet

In the beginning was the Advanced Research Projects Agency (ARPA), along with its companion organization Defense Advanced Research Projects Agency (DARPA). These organizations were federal agencies that used money from the federal budget (tax dollars) to distribute to companies to conduct research and advance our capabilities as a country, as well as a military power. In the 60s, several people and organizations discussed the idea of connecting computers together so they could communicate, including communicating over long distances. Keep in mind that at that time, “computers” were very large devices that cost millions of dollars. The idea was to make better use of those devices by letting researchers anywhere access resources where research was being done.

In the late 1960s, two computers were connected together to create the start of the ARPANET. The ARPAnet was where TCP/IP was eventually developed. In the 1970s and then the 1980s, several other networks were developed by other organizations — CSNET, BITNET, THEORYNET, JANET and many others around the world. Eventually, the U.S. created the NSFnet, sponsored by the National Science Foundation. The NSFnet became a backbone network with very fast connections. As a side note, this is where the misquote of Al Gore originates. He didn’t say he invented the Internet. He said he took the initiative while in Congress to create the Internet. He’s correct, in that he was a driving force behind legislation creating the NSFnet, which became the Internet over time, as all other research networks were folded into the NSFnet. Additionally, Gore was involved in legislation allowing businesses to connect to the NSFnet, truly creating what we know today as the Internet.

The Connected Internet

The Internet isn’t a single network. It’s a large collection of networks, all interconnected. Every business and organization connect their own network to a service provider. The service provider connects to other service providers, sharing information about how to deliver information to businesses and organizations, where all the users live. The Web is an overlay on top of the Internet and refers to a specific service — servers that communicate using the Hypertext Transfer Protocol (HTTP).

Search engines like Google, Bing and others, make navigating the Internet possible. Not everything is searchable, though. If Google doesn’t know anything about the site, Google’s robots that are used to index sites can’t look through the site and deliver it in search results.

The Dark Web

Any site that has no connections to other sites and no other sites have connections to it is completely isolated from the search engines. The collection of sites like this, which may be web sites but may also be systems that use other protocols to serve up content to users, is a subset of the overall Internet and is sometimes referred to as an overlay. This overlay is sometimes called the “darknet” or the “dark web,” because the systems and services are not searchable by traditional search engines and you’d have to know they are there to make use of them.

More commonly, though, is another network overlay that was developed by the U.S. Navy. U.S. Naval Research Laboratory employees developed the concept of “onion routing” in the 1990s. Today, you may know this better as The Onion Router (TOR). TOR is a way of routing to sites through peer-to-peer connections, meaning system-to-system rather than site-or-network to site-or-network. When you hear about data being on the dark web or darknet, they are likely referring to TOR sites. They may, though, also be referring to other sites that are also connected to the Internet but can’t be found unless someone specifically knows about the site.

The Implications for Cybersecurity

It’s important to understand what the Dark Web is because it is intimately tied to the work conducted in cybersecurity. As hackers continue to evolve in their tactics and breach practices, stealing records including medical records and people’s personal data, that information is treated as currency, sold on the Dark Web. Beyond a profit motive, according to The Independent (a U.K. newspaper), “cyber criminals could exploit the healthcare records for other purposes  like redirecting medication to different addresses, or request doctor appointments on other people’s health plans.”

Healthcare is just an example of how the Dark Web informs cybersecurity efforts but as we continue to understand the intricacies of the Dark Web, its activity, and see the damaging repercussions of its mere existence, we need to take our cybersecurity efforts that much more seriously. The possibilities of exploitation are endless when hackers are motivated by financial gain, insinuating social chaos, and/or manipulating data for power and status.

What is gamified learning? Before we dive into that question, let’s discuss some of the ways we currently learn about cyber today. Traditional cyber training has been conducted in the same way for years, comprised of static, classroom-style settings complete with a teacher lecturing and passive listeners. This model causes people to forget:

• 40% of what they’ve learned after 20 minutes
• Between 50-80% of what they’ve learned after one day
• 77% of what they’ve learned after six days
• 90% of what they’ve learned after one month

In addition to forgetting material learned, there’s minimal opportunity for the student to proactively solve problems, think critically, and analyze material. Instead, they superficially understand concepts without truly learning their application to real-world situations. This leaves the trainees disengaged, disempowered, bored, and unmotivated.

We believe there’s a better way to deliver information security training—a way that engages teams in healthy competition and in critical thinking and problem-solving activity. Through active learning, studies show learners are more engaged, empowered, excited, and possess deep, conceptual understandings of topics learned. Active learning involves collaborating with teams and applying concepts to real-world exercises and scenarios, which improves retention rates to 75%, compared to 5% through traditional learning methods.

So why is active learning so important for cybersecurity professionals?

Because the undeniable jobs shortage affecting the industry is prompting CISOs to take a closer look at ways in which they can close the skills gap. The first step involves leveling up existing cyber teams by equipping them with the tools and skills they need to do their jobs better. Without proper cyber training and skills development, professionals can’t keep pace with evolving cyber threats, causing teams, organizations, and companies to succumb to hacker attacks.

How significant is this issue? According to a recent ESG/ISSA study, 70% of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage, with ramifications such as an increasing staff workload, hiring and training junior personnel rather than experienced professionals, and situations where teams spend most of their time dealing with the emergency du jour, leaving little time for training, planning, strategy, etc.

So what can we do about this?

Consider gamified cyber training

Not only is hands-on, active learning important but we believe that gamification is the natural, logical step in training the next gen learner (born after 1980), who has never known a world without video games. Gamification is often defined as the process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. When we think about the benefits of gamification of cybersecurity training, it is a learning style best suited for today’s learner who grew up playing video games and being motivated by elements like leaderboards, competition, collaboration, and social proof/progression.

Even academic institutions across cyber schools are exploring cybersecurity games for students to complement their classroom learning. Some institutions like CU Boulder have even crafted an entire class around gamified cyber training using Project Ares in their syllabus.

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. Further, it enables learners to apply what they know to simulated environments or “worlds,” creating a natural flow that keeps learners engaged and focused. Organizations that offer gamified exercises to teams report that 96% of workers see benefits including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times, and enhanced self-efficacy.

In gamified environments, trainees are typically:

• rewarded for good behavior
• incentivized to maintain good behavior
• encouraged to dialogue about their lessons learned with peers
• reminded of what they don’t yet know and held accountable
• engaged in their progress thanks to leaderboards
• prepared to participate in simulated threat situations that further prepare them when real-world situations occur

Active, gamified cyber training is only effective if employees apply their skills learned and acquired to real-world scenarios. For this reason, cybersecurity leaders are encouraged to measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of the organization.

“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” Grant Bourzikas, chief information security officer at McAfee. (ComputerWeekly)

Great, there are clear benefits. Now what?

Now it’s time to reflect on how your organization can benefit from gamification in cybersecurity training. First, look at what training (if any) is currently occurring. Then, speak with teams about where they’d like to improve and draw clear parallels between the investment in training and desired business outcomes. And of course, when you’re ready to learn more, contact us to see how gamified training actually works through our Project Ares® platform.

We hosted our first-ever “Game of Titans” Cybersecurity Challenge in Las Vegas recently, gathering security professionals together to compete on our Project Ares® cybersecurity platform for a chance to win several prizes.

The event did not disappoint! Between the amazing Esports Arena venue, which offered enticing views of the game play, combined with the presence and engagement from celebrity hacker Vinny Troia, who provided colorful commentary and judging, and enthusiastic YouTube sensation Zach Hill of TalkTechDaily , who graciously live streamed the event, it was a success!

Competitors had the opportunity to practice on the Project Ares platform for up to 11 days in July before entering the qualifiers and then attending the live final round in Vegas. For the CISOs and other tech leaders who wanted a more intimate view of the platform, we also hosted several private demonstrations of Project Ares in-suite at Mandalay Bay. We enjoyed conversations with leading cybersecurity influencers who were looking for a better way to solve their cybersecurity challenges in the face of staffing shortfalls and skills deficits.

The inaugural Game of Titans competition culminated with three winners including best defensive player, offensive player, and MVP (pictured here). Congrats to the night’s MVP Monique Moreno with Ellucian, to Tim Nary with Booz Allen Hamilton who was the Red Team winner and Jordan Scott with Boecore as the competition’s Blue Team winner.

We hope the event inspired these individuals and others to keep on strengthening the cybersecurity profession and gave interested cybersecurity professionals the opportunity to see how gamified cyber training and assessments can benefit their professional portfolio and organizational security position.

Late last week, Circadence® participated in the Jack Voltaic 2.0 Cyber Research Project  held in Houston, Texas. The event was described as a “bottom-up approach to critical infrastructure resilience,” where the City of Houston, in partnership with AECOM and the Army Cyber Institute (ACI) gathered with critical infrastructure partners to study cybersecurity preparedness gaps.

Developed by the ACI at West Point, Jack Voltaic 2.0 took place July 24–26 at the Houston Emergency Center and results from the activity will be published in a technical report from the Army Cyber Institute in November 2018.

Our own Laura Lee, executive vice president of rapid prototyping, attended the exercise and shared her experience in a quick Q & A.

What made this event special? 

LL: This truly was a first of its kind event where a major city brought together both public and private entities across many different critical infrastructure sectors to prepare for a cyber event. It involved energy, healthcare, transportation, water and government services all working together to resolve an attack. The City of Atlanta suffered a cyberattack  in early 2018 that caused millions of dollars and interrupted services in the city for weeks. The goal of this event was to avoid that type of situation and prepare, just like Houston does for hurricanes or the Super Bowl. There are always risks but the key is getting ahead of an event and developing policies and procedures to handle it.

What was the environment of the event like?

LL: During service restoration and when determining what was happening during the simulation, technical experts were serious in their pursuits to remediate the issues. Each team chose a leader and immediately and got to work. Harris County (where Houston resides) were quietly discussing what they were seeing for web attacks in their network, while the Port of Houston Authority were dealing with ransomware. Each team reported up to the Houston Emergency Center, with some teams reporting live via an online conferencing system. The activity was taken very seriously, and it felt like a real-world response.

What was one of the highlights of the event?

LL: The team from Memorial Hermann Health was asked to brief what they saw in ransomware and how they handled it. It was a Webex broadcasted to the 150 people in the Houston Emergency Center. All the teams were listening carefully to the report, trying to understand if they were seeing similar things. At this point, the hospital had successfully handled the attack, and everyone was gaining confidence and excitement.

Why did Circadence participate in this research exercise? 

LL: Circadence is in a unique position to support city and state-wide cyber exercises because the company’s cybersecurity training and assessment platform, Project Ares®, offers virtual worlds that represent businesses and agencies in the real world. We have a synthetic internet with simulated users performing normal day-to-day jobs all in a closed, safe environment. For the event, it allowed key users to see and test what happens with the latest malware or cyber tactic. By using the Project Ares platform, we can select multiple environments that make up a city and then bring in real people, as if it was the actual city under attack. This gives a new dimension and real-world feeling to traditional “table top” exercises that are typically used for disaster preparedness. It’s a way to bring all the people required (government, industry, academia) together and includes the technical and policy personnel so everyone learns how to work together. We are passionate about helping every critical industry sector, every state, and every city learn to successfully mitigate cyber risk.

Circadence – Contributing to Critical Infrastructure Cybersecurity

Circadence supported the 6-month event planning process for the Jack Voltaic 2.0 Cyber Research Project. “We met almost monthly and created a realistic scenario within Project Ares, which resulted in a coordinated attack on the city,” said Laura. “We worked together to create events that would challenge each participant and then during the event, we ran the Live Fire exercise portion for the technical team players. We also displayed the results and analysis in real time within the large Emergency Center area so the policy makers could understand what was happening technically.”

Cyberattacks rarely affect a single target. Instead, unanticipated effects could ripple across interconnected infrastructure sectors, which is why infrastructure resilience is more critical than ever. Varying defensive capabilities and authorities complicate the response. If exploited by a determined adversary, these unidentified gaps leave our nation vulnerable. Circadence was proud to participate in this exercise and help close gaps in critical infrastructure cybersecurity through its Project Ares platform.

Watch the full press briefing from the City of Houston here .

For years, security professionals, including myself, have advocated for security to be part of the development process. Recently, development has been undergoing a big shift “to the left” so that security is part of a more integrated process in development. You may be aware of this change as DevOps. DevOps means that development and operations, the team responsible for deployment and management, work closely together rather than having cold hand-offs. One of the ways this works is by automating as much as possible, including building, packaging, testing and deployment. The integration came at an opportune time when shifts in software development started in the late 1990s, now called Agile.

What is Agile?

Agile is about rapid development that produces a releasable product at the end of each iteration. Most importantly, Agile is about focusing on customer needs and not big, over-developed software. DevOps provides the ability to take the idea of Agile several steps further. Beyond just having a product that the customer can use, DevOps opens the door to deployment and delivery. As more applications and functions become enabled through web technologies, there are more frequent deployments that the customer can use. Pinterest, as an example, deploys up to 50 times a day to their platform.

Where Security Comes In

You may be wondering where exactly the security comes in here. Security professionals may be concerned about what DevOps means for them. As it is, when a development process is complete, security gets tossed a product to do testing and assessment. How bad could that be if development and deployment is happening at least once every couple of weeks? Fortunately, there are answers to this question and the good news is, it helps from a security perspective, and this is where “shifting left” comes in.

When we talk about “shifting left,” we mean that we are pushing things earlier into development process. Like the operations team, the security team can provide their needs and requirements to development early on. This can mean ensuring that security tests are built into the test automation. It should also mean that security is working closely with developers so developers understand what secure development looks like — appropriate practices and frameworks, for instance.

Implications for the Customer

If security and its requirements are incorporated earlier in the process and security professionals become a more prominent stakeholder, the customer benefits. Each development cycle has to factor in security and if there is anything required of the security team, they get tasks just like any of the developers or operations staff. This may include changes to intrusion detection systems, firewalls or web application firewalls if it’s a web application being developed.

An enormous advantage to regular deployments is the time to repair shrinks. If development teams are releasing even every two weeks, customers have a better chance of getting updates that fix security issues much faster. This helps the company and it helps the customer. It is a win-win.

Similarly, if processes are automated, the security team is in an even better position because there is less chance of human error that may result from botched installs or configurations. Security work has its benefits in this instance.

In the end, the blend of DevOps with Security, now referred to as DevSecOps, has enormous potential to improve application security. If you aren’t looking into it for your teams, you should be. Move security left!