Analysis of cloud native application security organization structure

Yun He DevOps It plays a great role in this transformation , And completely changed the way we develop and operate software . Software has never been easier to create , Never updated more frequently than today , We have never innovated so quickly to meet customer needs .

In the face of such a change , Safety has no choice , Can only adapt to . Enterprises must and will continue to strive to improve the speed , And independent team is the only way to achieve this goal . The way we protect applications must change , Make it part of the daily work of these independent development teams . Security teams first need to focus on helping these teams achieve security . Security needs to be a development priority .

The security industry is not  DevOps  Part of the journey . Safety processes tend to control ongoing processes , Instead of merging into the process . It is worth noting that , The security process cannot achieve the following functions ：

Enhance the ability of independent development teams

Security capabilities are owned by a single team , The development team has no authority to make safety decisions , And the tools are mainly designed for auditors rather than builders .

Continuous operation and maintenance

The safety process still relies heavily on manual doors , Such as safety audit or result review , This slows down the continuous process .

Let safety work go against the business motivation of speed and independence , There can be no good end . The development team must be slowing down （ This will damage business results ） And circumvent security controls （ This introduces significant risks ） Make a choice between . These are not viable long-term options , Therefore, enterprises must change their safety practices to adapt  DevOps  reality .

DevOps  Driving the need to develop priority security methodologies , In the era of digital transformation , We have also seen the evolution of the cloud and cloud native applications . The scope of cloud native applications is broader than its predecessor , And more and more contain more elements of the underlying stack .

This change in application scope also requires changing the scope of application security . This article discusses a new and extended scope of application security , Called cloud native application security  （CNAS）.

use  CNAS  Major changes need to be made to the way we protect applications and infrastructure . The process of transformation is a journey , For every organization , Even for different parts of the same organization , Their experiences are all different .

Although choosing the right path is up to you , But in order to get the right path , Patterns and best practices have begun to emerge . In this paper , I have proposed several areas where we can consider breaking the status quo , And how to break the status quo .

Rethink the safety organization

Organizations are usually split according to the scope of responsibility . When you consider protecting some parts of the infrastructure as an application security issue , Please reconsider how to build a security organization . More specifically , Please consider whether to change the scope of responsibility of the application security team .

Besides , As your security practices become more development oriented , And focus on enhancing the capabilities of developers , Your requirements for this application security team will also change . You need more empathy and project management and more engineering skills . You need more builders and fewer saboteurs .

To help you evaluate the organizational structure of the security department , Here are the three most common team scopes I see in the field of application security ： Core application security 、 Safety engineering and newer product safety . These should serve as reference points for how to build an organization , Instead of using a perfect model .

Core application security team

Let's start with the status quo , Maintain the same scope for the application security team . Because this is the default state , So most organizations use this team scope ,  At least as a starting point .

The task of the core application security team is to protect the custom application code and business logic as well as the open source libraries being used . They usually have classic application security tests （AST） Kit , Including static , Dynamic and interactive application security testing （SAST,DAST and IAST） To find vulnerabilities in custom code , And software component analysis （SCA） Tools to find vulnerable open source libraries . Besides , These teams usually develop safety education and training , And may carry out vulnerability management or vulnerability reward . In some cases , They may also use  RASP  or  WAF  The ability of tools to implement runtime application protection .

Members of the core application security team usually need to be experts in security coding , And have some experience in application operation audit and security code audit . They need good developer empathy to work with developers , This in turn requires some understanding or code related ability , But a complete software development certificate is not required .

The main advantage of sticking to the core application security team is its long-term position in the industry . It makes it easier to recruit professionals with experience in the entire team field . For tools , This is an area where tools and practices are well documented . From the perspective of organizational structure , Most industries will think that the application security team is similar to the core application security team .

Although the scope of the core application security team is to maintain the status quo , But its methodology tends to become more beneficial to developers . Application security teams usually assign individual responsibilities in the team to partners of multiple development teams , To help promote better collaboration . In the field of application security, many peers will carry out the security champion program , Help them gain scale and embed more security expertise in the development team . Although the scope remains basically the same , But the internal practices of the core application security team need not be those of the traditional .

Safety Engineering / Security platform team

Automating the steps of security management and control process is the key in modern development environment . Fast  CI/CD  There is no room for manual review of the pipeline , It requires automated pipeline testing . Besides , Developers are not security experts , They spend less time on safety , Therefore, tools with embedded security expertise are needed , And can reduce or promote security decisions .

Building and operating security tools is not easy , Especially in large organizations , Different development teams have different requirements . To help improve automation , Some organizations have created special safety engineering teams , Focus on building internal tools and integrating external tools , All this is to enhance security .

The security engineering team consists of software engineers who are slightly biased towards security , Its operation mode is complete  DevOps  The engineering team is similar . They usually build 、 Deploy and operate the services they build , And use the same method as other engineering teams to run their agile processes and manage product backlog .

If the workload is not large enough , It's not enough to guarantee to build your own team alone , Then the same activities can usually be embedded in the core application security team . However , Even though it's called “ Safety Engineering ” Our team is very consistent in the Charter , But have （ More and more common ） There are great differences in personal responsibilities of the title of safety engineer . Some people are software engineers described above , And for others , In the title “ The engineer ” Part refers to the security field .

Safety engineering team is a good way to really improve the degree of Automation , And is a platform or site Reliability Engineer for operation and maintenance  （SRE）  Excellent parallel team of the team . in fact , In quite a few cases , The scope of the platform team has been expanded to include the construction and operation of such security tools . This is also a good way for software engineers to join the security team , Help solve the problem of talent shortage , And build more developer empathy in the security team .

Product safety team / Cloud native application security team

The newest member of the security team model is the product security team . These teams have a larger scope , Not only the application code itself , It also includes all content related to the product . The most remarkable thing is , Two key new features are capturing complete  CNAS  Range , And help build security functions in the product itself .

Complete cloud native application security scope

Expand to include  CNAS  Scope is the natural result of rethinking some infrastructure risks as application security . Now , Like containers and IaC Such technologies are all created by writing custom code 、 Driven by the same developer using the same practices and tools . To support this change ,AppSec The team needs to support these engineers to do this successfully . Embracing this broader group is often referred to as the product safety team .

This extended CNAS Scope means that the product safety team works in a larger part of the software development lifecycle . Including more participation in production deployment and even operation and maintenance , As a result, it overlaps with the cloud security team that pays more attention to operation . In practice , Cloud native development means that cloud security is affected by both development and operation and maintenance teams , The product safety team covers the former .

Please note that , Many core application security teams are expanding to cover the complete  CNAS  Range , Without formally changing their team name and task . Select and implement solutions to scan container images for vulnerabilities and audit  IaC  Files are increasingly the domain of application security teams . Although it is safe to assume that the product security team has captured this complete scope , But such renaming is not absolutely necessary , And many application security teams have developed without such a statement .

Product safety features

And CNAS Irrelevant but still worth noting is , The participation of the product security team has a more user oriented security part ： Safety features . As users' awareness of the importance of security continues to improve , Many products want to build dedicated security functions , And realize differentiation through them . Determining which safety functions are valuable requires a degree of safety understanding , The development team may not , But the security team has . The product safety team usually plays a clear role here , With the product manager （PM） cooperation , They have complete product functions and value propositions , More than ever .

This responsibility plays an important role in the relationship between the application and the security team . Safety control is a means to reduce risks , But being able to provide this risk mitigation as a security feature means that it can help increase revenue . Increasing revenue is another common goal of the two teams , And it is more obvious than reducing risk , This makes it easier to celebrate success .

Evolution of product safety

Product safety is a new title and scope , And still in the definition . Given its wider scope , It is usually a superior title or a large team , This includes other teams mentioned . In some cloud native organizations , Product safety is the chief safety officer （CSO） The main scope of , Other organizations have begun to appoint leaders as chief product safety officers （CSO）.

Atlassian  Chief information security officer  （CISO） Adrian Ludwig  Best said , He said ：“ The goal of product safety is to improve the safety of products , And represent customers' safety expectations to the development team internally ”.Twilio,Deliveroo and Snyk And other companies also use this title , I believe this is the solution  CNAS  The right way .

DevSecOps  And the team ？

You may have noticed that I didn't say  DevSecOps  The name of the team , It's not by chance . And DevOps equally ,DevSecOps It's not a team ; This is a sport , It aims to embed security into core development and operation . in my opinion , It should not be the title of a team .

however , It's like  DevOps  Same team ,DevSecOps  Teams also exist , Their tasks are also very different . Sometimes , They are actually a cloud security team , Focus on operations and runtime security . At other times , They are more like platforms , Its scope of responsibility is similar to that of the safety engineering team . Because titles don't mean a specific set of responsibilities , therefore DevSecOps The scope of responsibility of a team is not really definable .

However , What all these teams have in common is that they have forward-looking thinking .DevSecOps It aims to change the way we do safety , and DevSecOps The team , Regardless of its scope , They always see themselves as agents of change . They embrace automation and cloud , Prefer engineering safety solutions to Auditing , And is committed to empowering the development and operation and maintenance teams to protect their own work .