Joni Klippert, Founder & CEO of StackHawk, joins John Furrier for theCUBE on Cloud 2021.
#theCUBE #CUBEOnCloud
https://siliconangle.com/2021/01/21/security-shifts-left-to-debug-critical-code-before-software-deployment-cubeoncloud/
Security ‘shifts left’ to debug critical code before software deployment
SPECIAL COVERAGE: THECUBE ON CLOUD BY MARK ALBERTSON
The cybersecurity world is a race against time: Organizations have a finite amount of resources and limited runway to find and fix bugs in code before malicious actors can discover and exploit them with damaging results.
The way to best minimize this exposure is to fix bugs before software has been deployed into cloud native or other environments. That means catching potentially fatal flaws as code is being written using tools that continuously integrate and scan in-process.
It’s an approach that represents a “shift left” in the DevOps world, a practice in software development where problem prevention is the priority versus detection after the fact.
“When we think about where security lives, it is either a blocker to deploying in production or it lives long after code has been deployed to production and there’s a security team constantly playing catch-up,” said Joni Klippert (pictured), founder and chief executive officer of StackHawk Inc. “They’re looking at it months after software has been deployed and then hurrying to assess where the bugs are and trying to get that back to software developers so they can fix those issues. Shifting left means software engineers are fighting those bugs as they are writing code or in the continuous integration/continuous delivery pipeline long before code has been deployed to production.”
Klippert spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during theCUBE on Cloud event. They discussed the need to bake security into the development process, separating the “noise” created by a large number of security vendors to protect code, the use of dynamic application security and the value of penetration testing in the enterprise.
Understanding software development
The “shift left” approach offered by Klippert and her firm is a form of baking security into the development process rather than trying to bolt it on after software has been deployed into production. The case for baking in security is hard to oppose, especially as news of escalating ransomware attacks or a major breach make headlines on nearly a weekly basis. It’s also hard to do.
“It isn’t trivial, and, in my opinion, there aren’t a lot of tools on the market that actually make that very easy,” Klippert said. “Because of lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. You really have to have a lot of empathy and understanding for how software is built and how software engineers behave in order to get this right.”
That level of empathy for the job of a software developer extends to issues within the cybersecurity industry itself. As threats have mounted, so has the noise surrounding numerous products that claim to offer the silver bullet for security protection in the enterprise.
“There were 1,300 venture-backed security companies since 2012 focused on selling to CISOs and Fortune 2000 companies,” Klippert noted. “It is a mess; it’s so noisy. Nobody can figure out what anybody actually does.”
Filtering out the noise
The concept behind StackHawk’s approach is dynamic application security testing, or DAST. This testing is applied against a running version of an application, searching for security bugs that could be identified by a malicious hacker. The goal is to filter out the noise and identify the critical issues that would be worth the time to fix.
“Limit the noise; make it as easy as possible,” Klippert said. “You make the tooling work so that it works for the software engineer and their workflow. Make sure that we only show the most critical things that are worth an engineer stopping what they are doing in terms of building business value and going back and fixing bugs.”
One of the security techniques in common use is penetration testing, a form of ethical hacking where organizations will deliberately attempt to breach internal systems as a way to find security flaws. Penetration testing is a growing market, forecasted to expand to $4.5 billion in four years, but Klippert advises that additional scanning may be needed to get deeper into potentially serious security flaws.
“Pen tests are important, and everybody should do them, but that should not be the introduction to these issues that are also easy to automate and find in your system,” Klippert said. “Run StackHawk in an automated fashion on your system, and then give the configuration and most recent results to your pen tester and say: ‘Go find the hard stuff.’”
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE on Cloud 2021 | Digital. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For theCUBE on Cloud 2021 | Digital
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for theCUBE on Cloud 2021 | Digital.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
theCUBE on Cloud 2021 | Digital. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to theCUBE on Cloud 2021 | Digital
Please sign in with LinkedIn to continue to theCUBE on Cloud 2021 | Digital. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Joni Klippert, StackHawk | theCUBE on Cloud 2021
Joni Klippert, Founder & CEO of StackHawk, joins John Furrier for theCUBE on Cloud 2021.
#theCUBE #CUBEOnCloud
https://siliconangle.com/2021/01/21/security-shifts-left-to-debug-critical-code-before-software-deployment-cubeoncloud/
Security ‘shifts left’ to debug critical code before software deployment
SPECIAL COVERAGE: THECUBE ON CLOUD BY MARK ALBERTSON
The cybersecurity world is a race against time: Organizations have a finite amount of resources and limited runway to find and fix bugs in code before malicious actors can discover and exploit them with damaging results.
The way to best minimize this exposure is to fix bugs before software has been deployed into cloud native or other environments. That means catching potentially fatal flaws as code is being written using tools that continuously integrate and scan in-process.
It’s an approach that represents a “shift left” in the DevOps world, a practice in software development where problem prevention is the priority versus detection after the fact.
“When we think about where security lives, it is either a blocker to deploying in production or it lives long after code has been deployed to production and there’s a security team constantly playing catch-up,” said Joni Klippert (pictured), founder and chief executive officer of StackHawk Inc. “They’re looking at it months after software has been deployed and then hurrying to assess where the bugs are and trying to get that back to software developers so they can fix those issues. Shifting left means software engineers are fighting those bugs as they are writing code or in the continuous integration/continuous delivery pipeline long before code has been deployed to production.”
Klippert spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during theCUBE on Cloud event. They discussed the need to bake security into the development process, separating the “noise” created by a large number of security vendors to protect code, the use of dynamic application security and the value of penetration testing in the enterprise.
Understanding software development
The “shift left” approach offered by Klippert and her firm is a form of baking security into the development process rather than trying to bolt it on after software has been deployed into production. The case for baking in security is hard to oppose, especially as news of escalating ransomware attacks or a major breach make headlines on nearly a weekly basis. It’s also hard to do.
“It isn’t trivial, and, in my opinion, there aren’t a lot of tools on the market that actually make that very easy,” Klippert said. “Because of lot of tools were built to run in production, it makes it really difficult to bake them in from the beginning. You really have to have a lot of empathy and understanding for how software is built and how software engineers behave in order to get this right.”
That level of empathy for the job of a software developer extends to issues within the cybersecurity industry itself. As threats have mounted, so has the noise surrounding numerous products that claim to offer the silver bullet for security protection in the enterprise.
“There were 1,300 venture-backed security companies since 2012 focused on selling to CISOs and Fortune 2000 companies,” Klippert noted. “It is a mess; it’s so noisy. Nobody can figure out what anybody actually does.”
Filtering out the noise
The concept behind StackHawk’s approach is dynamic application security testing, or DAST. This testing is applied against a running version of an application, searching for security bugs that could be identified by a malicious hacker. The goal is to filter out the noise and identify the critical issues that would be worth the time to fix.
“Limit the noise; make it as easy as possible,” Klippert said. “You make the tooling work so that it works for the software engineer and their workflow. Make sure that we only show the most critical things that are worth an engineer stopping what they are doing in terms of building business value and going back and fixing bugs.”
One of the security techniques in common use is penetration testing, a form of ethical hacking where organizations will deliberately attempt to breach internal systems as a way to find security flaws. Penetration testing is a growing market, forecasted to expand to $4.5 billion in four years, but Klippert advises that additional scanning may be needed to get deeper into potentially serious security flaws.
“Pen tests are important, and everybody should do them, but that should not be the introduction to these issues that are also easy to automate and find in your system,” Klippert said. “Run StackHawk in an automated fashion on your system, and then give the configuration and most recent results to your pen tester and say: ‘Go find the hard stuff.’”
