How to Collaborate on Infrastructure Security

Collaborative teams eliminate security vulnerabilities that siloed teams create. Here's how it works: When looking at enterprise IT structures, I see two distinct approaches with dramatically different outcomes: 𝗦𝗶𝗹𝗼𝗲𝗱 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵 (𝗟𝗲𝗳𝘁 𝘀𝗶𝗱𝗲): ↳ Security Team - Focuses on protection but remains disconnected from business objectives ↳ Infrastructure Team - Builds and maintains systems in isolation ↳ Development Team - Creates applications without integrating security Each team works independently. They communicate through tickets and leaves business users caught in the middle. This creates blind spots where threats thrive. 𝗖𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝘃𝗲 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵 (𝗥𝗶𝗴𝗵𝘁 𝘀𝗶𝗱𝗲): ↳ Security Team - Integrates security throughout development lifecycle, provides proactive guidance rather than after-the-fact roadblocks ↳ Development Team - Creates applications with security built in from day one, leverages secure coding patterns and automated testing ↳ Infrastructure Team - Designs flexible, scalable environments that support both security requirements and development needs With business objectives at the center, information flows continuously between teams: ↳ Everyone takes responsibility for security rather than treating it as a bottleneck ↳ Teams identify vulnerabilities earlier when they cost less to fix ↳ Organizations achieve compliance naturally rather than through painful exercises The collaborative approach requires intentional design: ↳ Shared tools and platforms ↳ Cross-functional team meetings ↳ Unified metrics and KPIs ↳ Joint accountability for outcomes These aren't just theoretical concepts. I've seen organizations improve their security posture by breaking down these walls. Where does your organization fall on this spectrum? --- Follow Daniel Sarica for networking & cybersecurity insights and frameworks.

This year at #RSA, I found some kindred spirits—passionate AppSec people who are doing amazing things with their security program. We had a bunch of long and energetic talks that really got me thinking. Let’s start by talking about security/developer relationships. When it comes to security and developer relationships, two big—and arguably connected—talking points emerged: communication issues and silo issues. When I asked if any developers were working on the security team, most of the security people I spoke with said no. I got the same response when asking whether critical findings were reviewed by the AppSec team before talking with developers. I then followed up with, “Do general security personnel understand the application security tool findings?”. Most said (and I’m paraphrasing here), “kind of, but not really.” The common theme is clear. For a program to be successful, you need to break down those silos with increased cross-functional sharing. That also means increasing communication and understanding within the security team itself. Security executives need to understand that application security is a specific area of expertise that can’t be staffed with a network security resource. A few ideas to get you on the right path: 1.Shared goals. Application security is about building trust, not roadblocks. Work with the development team to build actionable goals that will improve your security posture while enabling developers to work through their backlog.  2. Communication. Work with the development team to find a dev who can review application security tool scan or penetration test findings/results? results and share actionable items with the development team. 3. Build knowledge bridges. Breaking down silos starts with building goals based on cross-functional knowledge. For instance, I once created an API coding and security best practice document based on feedback from both devs and the AppSec team. I worked with software architects to outline coding best practices and to incorporate security best practices. This built a relationship between both teams that is still active today.  4. Integrate application security education into development processes. Without this, you can’t improve your security posture. Put a plan together that starts at onboarding and continues bi-yearly. There are great programs out there that help teach what vulnerable code looks like and the proper coding resolution to resolve them.  5. Hire passionate people. They will drive your program to success.  6. Know you can’t hit 100% coverage or remediation. It’s an impossible goal. Plan for the worst, aim for the best, and hope to hit 90%.  7. Build a security champion program. I’ll get into this in more detail in my next post, but it’s worth mentioning here as a great way to energize your program. Please share your thoughts in the comments below, I would like to hear what you’re doing that could help others be successful. As always, stay secure my friends.

For anyone in DevOps, CloudSec, or a CISO looking for actionable insights on Cloud Security Strategy, Lori Higham's recent webcast is a great resource. Her points are practical and directly applicable, especially for those working with cloud migration and deployment. Key Points (I had AI help so hopefully it got it right). Structured Strategy is Essential: * She emphasizes the importance of having a well-defined strategy as the initial step. This involves understanding what will be hosted in the cloud, how it will be protected, and how applications and their dependencies will be migrated. * She highlights the need to plan the architecture and configuration of cloud services, focusing on what capabilities should be allowed or restricted (with Automation in mind from the beginning). Automation is Crucial: * Lori stresses that automation is a key component of a successful cloud security program, especially for larger organizations. * Automation enables centralized management, consistency, and efficient handling of alerts and detections. Collaboration Between Teams: * She emphasizes the necessity of close collaboration between security teams and devops teams. * This collaboration ensures that security requirements are integrated into the development process from the beginning.  * She highlights the importance of the teams that build the assets and the teams that secure the assets, and that both are equally important. Infrastructure as Code (IaC) Benefits Security: * Lori acknowledges the significant benefits of IaC for security teams. * IaC allows for centralized management and standardization of security configurations.  * It reduces the time security teams spend on manual tasks and enables consistent enforcement of security policies. AI's Role in Security: * She believes that AI can be valuable in summarizing large amounts of data, providing insights, and streamlining security processes. * She cautions that AI should not replace human expertise, especially in areas like fact-checking. Remediation and Time Reduction: * She recognizes the problem of backlogged security issues, and how that leads to incidents. * She believes that AI can help reduce the time between finding a security issue, and remediating that issue.