How to get security buy-in from developers: Make secure practices more approachable

For years, organizations thought that a simple and effective approach to securing a company-wide system was a castle and moat approach: Everything outside the firewall and middleware protection is untrusted, and everything inside can be trusted. HashiCorp co-founder and CTO Armon Dadgar has many examples for why that's a bad model for data breach protection. He explains them in this presentation from AppSecUSA 2018.

Why you can't trust your own network?

The biggest reason you can't trust your internal network is human imperfection. Our vulnerability to attacks that would let bad actors into our network using employee credentials is high. Phishing or social engineering attacks have the potential to give hackers the keys to the castle if your internal network is high-trust.

Another reason is that personal devices and partner corporations use VPNs and there can always be gaps in that armor. Finally there could be undiscovered bugs or misconfigurations that some hacker will find in the middleware protecting your trusted network.

Large scale organizations can't afford to have a high-trust network like we see in the castle-moat model. We saw it with Equifax. They had an out of date dependency (a common situation in any enterprise) on a public-facing application and an attacker was able to get into their open network through that application. If that network hadn't been high-trust, the attacker wouldn't have been able to move laterally so easily and access sensitive databases.

Target was hacked via an HVAC system in a similar way. With so many potentially vulnerable points on your network perimeter that you're not aware of, it's a bad assumption to allow free communication once inside that perimeter, or to give employees more access than they need. The castle and moat approach flies in the face of widely accepted security principles; namely defense in depth.

How do you build a zero-trust network?

Dadgar describes three additions to your security layers that provide a zero-trust network:

• Secrets Management: Secrets (API Keys, TLS certificates, etc.) need greater protections, auditing, and hygene using a centralized solution that can protect, generate, rotate, and organize them.
• Data encryption: Applications need non-transparent encryption when moving data, so they must interface with encryption systems and use them when transferring data to a database or elsewhere.
• Traffic authorization: Traffic through the network needs to have an idenity, a method for authenticating itself, and be encrypted.

This model potentially demands a lot more from your development teams than previous models, so organizations also need a way to get their development teams to be more active in security processes without adding significantly more work to their plate.

How to make it easier for developers and operators

It's not reasonable to make all developers security experts, Dadgar says. Developers shouldn't need to understand all the jargon from cryptography or network security. The key to removing most of these security efforts from developers and operators is to externalize concerns to application frameworks, specialized middleware tooling, and secure-by-default platforms. For example, HashiCorp Vault is a centralized secrets management middleware. Developers and operators can just talk to an API and Vault takes care of encryption, key management, key rotation, and more.

For traffic authorization, a popular route is using a service mesh, especially in a service-oriented or microservices architecture, where you need help managing connections between hundreds or thousands of services. HashiCorp Consul is a widely used service discovery, configuration, and service segmentation tool that provides those service mesh capabilities, which remove the need to track hundreds of changing IP addresses and secure communications between services.

Watch the full presenation for further details and ideas to make secure development easier for developers and operators.