What comes first, the application or security? In an ideal world—both. Your greatest applications can be damaged by a single misconfiguration, but on the other hand, cumbersome, rigid security policies can keep you from building and shipping on schedule. That’s where DevSecOps comes into play.
You’ve most likely heard about why DevSecOps and collaboration between teams is important. But hearing about why it’s important is different than experiencing it yourself. It’s like hearing your friends rave about a restaurant and you agree that it’s good, even though you’ve never eaten there. How can you decide if you’ve never taken a bite?
Data Center Attack: The Game is an interactive, virtual experience that puts you in the shoes of a CISO at a hospital. Your goal is to go back in time and stop a crippling data center attack. Make the wrong choices and history repeats itself, but the right choices will show you the magic of DevSecOps and keep the hospital running smoothly. See first-hand how little changes in the relationship between security and development teams can have a big impact.
I tried the game myself, and let’s just say I’m going to keep my day job. I honestly was confident in my choices until Rik Ferguson came on screen and told me that I failed miserably. Keep reading to learn how I righted my wrongs or try the game yourself first.
Game overview
The first issue Mark, the new CISO, must address is what changes need to be made to the hospital’s infrastructure security strategy that is managed by David, head of Ops. Mark decides to throw out David’s architecture and suggest that they hire an information security (InfoSec) team to do a complete overhaul. Obviously, David wasn’t a big fan of Mark’s response and Logan, the boss, shut the door on a new team by saying there’s no budget for it.
Mark’s new solution was to conduct pen testing and see what gaps needed to be filled. Unfortunately, he would have to wait two months for the pen test to happen. With no choice in the matter, Mark agrees to wait. The next day, Mark’s morning was interrupted by a call from his boss informing Mark that they were under investigation for breach of compliance due to stolen patient data.
While Mark scurries to the office, he overhears a doctor requesting patient charts be sent to his personal email. Uh-oh. Mark investigates this briefly and learns that they’re next to no security training or knowledge of security policies amongst the staff. He heads upstairs to meet with David, where he must decide between fixing the compliance issue or stopping the breach.
Mark decides to stop the breach by patching any found vulnerabilities. David is less than impressed and says that this will take too much time and impact the hospital’s performance for hours. There are no takebacks in the game, so they forge on. Mark also suggests security training for the staff next month so the hospital can save face for the compliance investigators.
Whomp. Whomp. I failed. After Rik delivered the sad news, he walked through why the choices were wrong and what I should’ve done instead. Let’s get into it.
Problems and solutions
Relationship woesProblem: Mark’s first blunder was insulting David right away. This was the first meeting between representatives of SecOps and DevOps teams, so establishing a positive relationship from the start is important. By getting off on the wrong foot with David, Mark lost an ally that would hurt him down the road.
In the real world, similar conflict exists because of the individuality of roles. Security teams have less programming knowledge than their developer counterparts, which leads to developers assuming the responsibility of securing their development pipeline. Unsurprisingly, DevOps teams can lack the time and background to apply the right security policies and procedures.
The singularity of these roles can bleed into the overall organizational culture, with SecOps and DevOps teams firmly standing on each side of the line, as shown in the game. Alienating each other because of mistakes instead of understanding and trying to help allows security problems to persist.
Solution: Instead of trashing David’s work, Mark says that he appreciates the hard work. In return, David feels heard and is now more open to Mark’s suggestions. They’ve established a strong foundation for their relationship, which will make it easier to accomplish business goals.
Mark suggests accelerating spending this quarter to purchase a security solution that has minimal impact on performance for DevOps teams, has central security management, and works for both virtual and cloud servers. This is a more inclusive suggestion that tackles both short-term (filling current security gaps) and long term (strengthening security and DevOps processes).
By looking out for DevOps interests, Mark has now blended their roles. No longer us vs. them, Mark looks to invest in a solution that can meet development and security needs.
Security that pays offProblem: After insulting David, Mark suggests a significant (and expensive) investment in a new InfoSec team. Of course, the more specialized staff, the better, but money doesn’t grow on trees. Also, Mark’s suggestion was short-sighted. Hiring the right people is no easy task—it takes an average of 50 days thanks the skills shortage. In the meantime, David’s security approach stays in place and the hospital remains vulnerable. And when the new team is hired, the original developers and ops, such as David, will still lack the security knowledge and skills needed. Mark’s decision is like putting a Band-Aid on a broken bone and hoping it heals.
Many organizations lack the budget for additional resources, making it tough to decide where to allocate resources. As I learned, spending it on the wrong thing can have deadly consequences.
Solution: Mark suggests accelerating spending to purchase a security solution that fits the needs of the organization and its teams. Logan is open to this, as the solution sounds like it tackles multiple issues without needing to hire and train new staff. He tells Mark to scour the market for best cost-benefit ratio. It’s important to note that Mark doesn’t just go online and sort price lowest to highest to make his selection. He carefully chose a solution that would deploy quickly for DevOps teams and have built-in functionalities like anti-ransomware that can protect staff emails from being compromised.
Blind decisionsProblem: Next, Mark made the wrong decision to try to close the breach instead of focusing on compliance. Again, Mark failed to consider how this would impact the DevOps teams. His decision was short-sighted, as it doesn’t help developers from making the same mistake in the future. Further, David mentioned that patching would take too long and result in length system outages. However, this fell on deaf ears, as Mark was too concerned with arranging security training to look good in front of the compliance investigators.
Solution: Mark decides to make the network most compliant, a choice that benefits developers while improving the security posture and stopping the breach. David is pleased with this choice, as it frees him from the tedious burden of patching. By extending the solution to the cloud, David’s applications are further protected.
Mark also asks David to help to deal with the staff’s poor security health. Since they got off on the right foot, David is happy to assist. He turns on the anti-ransomware function to protect the staff’s emails while Mark organizes immediate security training.
After righting my wrongs, Rik reappears and gives me a pat on the back. The hospital continues running and lives are saved. Phew.
Next steps
Fostering a DevSecOps culture doesn’t have to be so complicated. Just little adjustments and considerations can make a huge difference. Even if you’ve read this and know what the right choices are, we still encourage you to try it for yourself. Like we said, you can’t decide until you experience it.
Already played and looking to apply this to real life? Check out our security services platform, Trend Micro Cloud One™, purpose-built for cloud builders. Experience the benefits of centralized cloud security with a free, 30-day trial.