Attack surface sprawl is a growing challenge with 76% of organizations experiencing some type of cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.¹ The constant expansion of attack surfaces has made the need for visibility into potentially unknown attack surfaces more important than ever.  

Pairing vulnerability scanners with attack surface management (ASM) gives security teams high-fidelity analysis and prioritization of assets and exposures, while limiting noise and false positives commonly associated with technology-only platforms.

Why vulnerability scanners aren’t enough 

The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. Vulnerability assessments operate on a tactical level, often treated as commodities where you acquire a scanner and direct it toward known targets.  

Vulnerability scanners rely on a policy that defines the scope and dictates where the scanner should focus its efforts, whether that’s on targets, networks, or assets. Without this essential step, the scanner lacks the intelligence to identify assets, as its sole purpose is to scan what it’s told to. Vulnerability scanning on its own is an output of potential issues; the tool can’t go out and find assets you haven’t explicitly told it to find. That’s where NetSPI ASM comes in. 

How NetSPI Attack Surface Management covers gaps

The beauty of ASM is its ability to uncover what’s unknown. This aspect is crucial as it offers a more strategic approach compared to traditional vulnerability assessments. When transitioning to ASM, security experts conduct specific operations to identify elements such as subsidiaries and various IPs associated with the organization. Through these efforts, previously undiscovered assets come to light that had been omitted from scanning and thus excluded entirely from a vulnerability assessment program. 

Vulnerability scanners paired with NetSPI ASM enrich the assets, ensuring the scope of your scan is comprehensive.  

Leveraging technology, intelligence, and expertise for Proactive Security 

The advanced technology behind NetSPI ASM combines with our security experts to deliver the most comprehensive view of external attack surfaces. Our deep visibility helps you understand specific risks to your business so your team can spend less time sifting through alerts or responding to false positives. With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build. 

How do we go about enriching asset discovery?  

We research multiple data sources to identify external-facing assets, utilizing a combination of human intelligence and third-party services in our research, a task that a vulnerability scanner could never accomplish on its own. 

For example, we use a blend of various OSINT, proprietary and commercial sources, and techniques to continuously search the internet to identify your entire attack surface. This process is a collection of items including, but not limited to business and legal structures, domains, and IP addresses.  

Our team performs exposure identification by:  

• Port scanning  
• Certificate scanning  
• DNS scanning / querying  
• Sub-domain brute forcing  
• Web application scanning  
• SNMP queries  
• UDP scanning  
• TCP scanning  
• Taking screenshots, grabbing banners  
• API-queries of cloud configured could environments 

We utilize active and passive techniques to continuously identify the existence of exposures on assets. Active discovery is performed on all identified assets for ports, technologies, certificates, vulnerabilities, DNS records, etc., while passive discovery is performed through integrations with data feeds that allow us to enrich data found through active discovery.  

This detailed information gathering leads to high-quality findings, allowing us to report only on true positives, with highly documented verification steps and remediation instructions. We provide detailed validation and evidence verification, so you only receive the true positives that matter the most to accelerate remediation and eliminate constant alerts and manual correlation from multiple sources. This is the “secret sauce” behind The NetSPI Advantage. Machine intelligence plus human intelligence is compound intelligence that benefits our customers. To put it simply, we go beyond for our customers so they can go beyond for theirs.

Vulnerability scanning vs penetration testing 

Both vulnerability scanners and penetration testing have their time and place to enhance the overall security of systems. The biggest difference is the depth of results from each measure. Vulnerability scanning is an automated process that identifies and reports potential vulnerabilities in a system, focusing on known weaknesses.  

Penetration testing, on the other hand, involves simulating real-world attacks by skilled professionals, a la The NetSPI Agents, to actively exploit vulnerabilities and assess the system’s security posture. While vulnerability scanning provides a broad overview of potential issues, penetration testing goes deeper, uncovering weaknesses that may not be apparent through automated scans. See if you’re getting the most value from your penetration testing reports. 

Empower your security posture with NetSPI 

The most helpful lesson we can share with anyone working to advance your security posture is don’t go it alone. The shared learning from experts who have worked through the same challenges you face is invaluable to bring clarity, speed, and scale to your security programs.  

Reach out to connect with our security experts or keep learning about NetSPI ASM by watching our demo.  

The post From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning  appeared first on NetSPI.

We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.   

How EASM complements external penetration testing 

Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to. 

Threat actors thrive on this mentality.  

When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first. 

On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise. 

Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures. 

Evaluating EASM vendors to make continuous pentesting a reality 

The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.   

These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.  

Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.

When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they’re prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks. 

Looking ahead in EASM security 

The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.  

Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.  

NetSPI’s approach to EASM 

Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.  

Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.  

Learn more about NetSPI’s attack surface management solutions or request a demo.  

For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.

The post The Ins and Outs of External Attack Surface Management: What You Need to Know appeared first on NetSPI.

+++

Today’s glimpse is with Cody Wass, Vice President of Services, and Cody Chamberlain, Head of Product, of NetSPI hosted by Wendy Meadley, CEO, Next Phase Studio. The Cody’s as they are “affectionately nicknamed” shed light on how technology alone cannot solve the greatest cyber security challenges. It is achieved when you effectively leverage technology to maximize the value of human creativity, experience and ingenuity.

The post Cyber Security Summit: A Conversation with Cody Wass and Cody Chamberlain of NetSPI appeared first on NetSPI.

As Head of Product, this statement gave me a critical opportunity to pause and reflect on my team’s purpose and ask, “What is the true intent of our technology innovation?” 

The answer was abundantly clear: Technology should empower people and maximize the value of human creativity, experience, and ingenuity. It should enable people to do more, with less. 

But it is not possible for technology nor people to be a force multiplier on their own. It all comes back to the intersection of the two. Data is just data unless you can derive intelligence from it, tools are just tools unless you can leverage them to deliver outcomes. Shelfware has never made anyone secure. 

Cybersecurity Technology Pitfalls 

Today, security programs are faced with a dilemma of not having enough people to tackle their greatest challenges, yet technology alone has not provided the level of efficacy to improve security programs. Without people, technology cannot: 

Understand unique organizational needs 

Company infrastructures are distinct. While many organizations have the same technical security controls or operate in the same industry, the ways the controls are implemented and operationalized, and the context of each infrastructure can differ greatly. Additionally, risk profiles and tolerance vary. External pressures may be different, driving additional bifurcation in how they approach a specific problem. Technology alone cannot identify these nuances and adjust. 

Continuously manage and operationalize itself 

Tools need to be run. The process of evaluating, implementing, and operationalizing technology requires humans. This process often takes focus away from defending against cyber attacks. When we have limited resources, we need to make sure they are focused on the right aspects of the greater mission.  

Support security programs in a cost-efficient way 

The security industry is crowded with technology vendors offering a wide range of solutions. Research platform CyberDB has compiled a list of cybersecurity vendors which includes 3,500 companies – just in the US. It has become difficult for security leaders to effectively implement supportive technologies in a cost-efficient way due to redundant functionality, gaps in coverage, and other challenges that come with the crowded market. 

The Spectrum of Cybersecurity Tools 

To truly understand the value of the intersection of technology and talent, it’s important to define the opposite ends of the spectrum – from traditional services/consulting firms to standalone technology platforms. 

• Traditional Services/Consulting Firms:
  • Expectations: A comfortable and trusting relationship with specific resources; easy to procure; professional services contracts are well understood; processes are easy to onboard and manage
  • Reality: Slow to scale; only as good as the consultant assigned; not maximizing the value; expensive; time consuming
• Standalone Technology Platforms:
  • Expectations: All-in-one solution to a problem; use existing resources to manage the platform; low touch management
  • Reality: Lacks efficacy; purchased technologies do not meet expectations; requires dedicated resources to manage; opaque (“trust us it works”); operates without context specific to your business needs and risk profile 

So, how do you get the best of both worlds? 

Platform Driven, Human Delivered 

The solution to effectively execute the industry’s security missions with limited human capital lies within the combination of technology and talent. Together, they can be a force multiplier for the industry. 

At NetSPI we call this “platform driven, human delivered.” In our approach, we use technology to maximize human value by focusing human value on the right assets, at the right time. 

We “automate the automatable.” In other words, we leverage automation to handle mundane and repetitive tasks that take up valuable time for a human to perform. Take our three core services for example: 

Penetration Testing as a Service (PTaaS) 

The following features in Resolve, our PTaaS platform, help to ensure our global pentesting team spends more time focused on higher severity issues like authentication, sessions management, and replicating real attacker behavior during our engagements. 

1. Processing scans on behalf of the pentesters. Using our correlation engine, we’re able to bring disparate scan outputs into one finding.
2. Providing additional dimensions of data to findings to help better prioritize the remediation of findings with Risk Scoring.
3. Report generation. Our consultants do all their testing within a process management workflow which allows them to simply generate a report at any point in the engagement.
4. Process management. Deliver quality and consistency through workflow and process management automation, quality assurance, and communication. Adding automated components to these functions allows the pentesters to be more creative in their approaches and spend time finding higher severity findings. 

Attack Surface Management 

The following features of our attack surface management solution combine the power of technology and talent by:  

1. Leveraging the cloud. We’ve taken our tools and techniques from over 20 years of external network penetration testing and are now utilizing the advancements in cloud technology to effectively scale that IP / knowledge capital.
2. Continuous monitoring. Leverage technology to continuously monitor the aspects of client’s known assets and ensure they are free from critical issues. AND provide visibility into the aspects of their attack surface they are unaware of.
3. Using human input to determine signal vs. noise. In tandem, we utilize our human experts to parse and manage that data to extract “the signal from the noise” to help organizations understand what’s at risk and which exposures to prioritize.
4. Making all the data available to clients in the platform so they can use it for analytics and pattern identification. 

Breach & Attack Simulation  

On average, NetSPI clients identify roughly 15% of the attack techniques we run in their environments – this includes security programs that have spent millions on controls. We automate the automatable by: 

1. Connecting the execution of attacks in client environments with a NetSPI expert to help prioritize and get context into how we benchmark against industry peers.
2. Automating attack plays that map back to the Mitre ATT@CK framework paired with human expertise to help make informed prioritization decisions of the attack techniques most relevant to your business.
3. Track ongoing improvements, or reductions, in detection capabilities over time to empower defense teams to make the case for additional resources and shore up their defenses.  

Becoming a Force Multiplier in Offensive Security 

As an industry, we need to take a step back and evaluate, “what do we need to do to protect ourselves?” What are our priorities? 

From an offensive security perspective, our clients have the need to identify all assets, identify vulnerabilities on those assets, and remediate them. No one person, nor one tool can achieve these goals. But together? The opportunity for success is exponential. 

After all, technology cannot solve our greatest cybersecurity challenges. People and technology can. 

The post The Intersection of Cybersecurity Technology and Talent appeared first on NetSPI.

+++

• The two pillars of breach communications: There are things you have to do and things you should do when responding to clients. Empathy and transparency will be key in communicating with them.
• Plan the work, work the plan: Building the incident response, knowing who to work with, and trusting the process will give you the confidence you need, so less emotions take over.
• Empathize with clients: Being transparent with clients will appease their needs and worries.

The post The CyberWire: Cody Chamberlain on Breach Communication appeared first on NetSPI.

+++

Data breaches are occurring more frequently than ever before – even with the best security precautions in place. While a cyber-attack may be out of an organization’s control, one thing it can and should control is how it communicates a breach to involved parties. Cody Chamberlain, NetSPI Head of Product, discusses the three key elements to implementing a successful data breach communication strategy: an incident response plan, open communication, and transparency. 

The post Techstrong: Data Breach Communication – Cody Chamberlain, NetSPI appeared first on NetSPI.

+++

Data breaches are occurring more frequently than ever before, even when organizations have the best security precautions in place. According to the Identity Theft Resource Center’s 2021 Data Breach Report, data breaches rose 68% from the previous year, reaching the highest number ever reported. That said, while a cyberattack may be out of an organization’s control, one thing it can and should control is how it communicates a breach.

Many corporations have developed canned responses to breaches along the lines of “We identified a breach of our systems, and you have been identified as being impacted. Your security is of the utmost importance to us, so we’re providing you with free monitoring.” 

However, more sophisticated and impactful breaches need a more detailed response plan. One that focuses on getting systems back online and defines what steps the organization will take to prevent another breach from occurring. There are three key elements to implementing a successful data breach communication strategy; an incident response plan, consistent communication, and transparency. 

Lean into the Incident Response Plan

An incident response plan is one of the most critical components of the customer notification process, as it enables an organization to acknowledge they’ve fallen victim to an attack, but also take ownership and focus on the customer.

Following a data breach, the customer ultimately wants to know three things: if their data has been stolen, the risk to the data at the time of the incident, and if they need to take additional action with the government or law enforcement to assist in the investigation. 

The incident response plan should provide accurate and timely information that accounts for all these customer questions and keeps their best interests in mind. This plan must be communicated and adopted beyond security and IT teams by a crisis management team that extends across all departments. Every person in the communications chain must report their findings to the executive level for all angles and aspects of the breach to be considered. 

An organization must also proactively work with legal and finance teams to understand which regulatory bodies, government entities, and insurance agencies to notify. Once all information is made clear, the organization can convey the details of the incident to the customer in a quick and straightforward manner, and, in high-profile situations, present the case to the public. 

Read the full article online.

The post Security Magazine: The Do’s and Don’ts of Communicating a Data Breach appeared first on NetSPI.

Simply put, cloud is top of mind for all security professionals today as it is a natural way to increase capacity or deploy projects in this new realm. The increased emphasis on cloud can be attributed to the pandemic-driven demand to support remote working and learning, ecommerce, content streaming, online gaming, and collaboration, according to Canalys. 

As cloud adoption accelerates (and shows no signs of slowing), there is no better time to take a deeper look at common cloud security challenges and learn how to modernize your cloud penetration testing efforts to mature your cloud security program effectively and efficiently.

5 common cloud security challenges and risks

1. Managing cloud workloads deployed outside traditional security governance processes. Access to entire technology stacks is available to anyone with only a credit card swipe. This access to technology outside of your security governance processes, or Shadow IT, depends solely on the awareness of that business unit of the security needs of those projects. If you can identify workloads that were deployed outside of your IT environment, you can test the disparate environment to gain some level of assurance that it was deployed securely while supporting a business unit with unique needs that may not be available from the traditional IT programs. 
2. Resource asymmetry between attackers and defenders. Attackers are limited to only their persistence when attacking your cloud environment. On the other hand, security teams are constrained by budget limitations, resource constraints, and the myriad of other challenges. Cloud configuration assessments informing a penetration test gives you the ability to identify issues that an attacker could identify but in an efficient way that maximizes your investments. 
3. A simple error can have a catastrophic impact. Traditional IT infrastructures are notoriously slow to adapt to innovation but have the benefit of several layers of defense. Infrastructure-as-Code delivers entire data center capabilities in a Python script but one minor error in the deployment can provide direct, internet-facing access to your environments. 
4. The cloud is evolving, and attackers are identifying novel attacks faster than the security industry is able to protect the attack surface. Cloud environments can be very complex and providers like AWS, Azure, and Google Cloud release new capabilities so often it’s difficult for security to keep up. For example, in April 2021, AWS posted nearly 200 announcements about new capabilities, services, features, and region expansions. 200 announcements in a single month. There are not enough people with tenured, seasoned experience in deploying cloud workloads to do it securely. It’s no surprise that cloud security topped ISC²’s list of most important skills needed to pursue a cybersecurity career.
5. Lack of awareness that cloud security follows the shared responsibility model. It is right to trust cloud providers to secure aspects of your workloads, however, your security team also maintains significant responsibility for security as you migrate to the cloud. This concept is the shared responsibility model, and it varies by provider and service type. Defining you and your providers’ responsibilities is imperative for reducing the number of, and criticality of, vulnerabilities introduced into your cloud environments. You can review the shared responsibility models for Microsoft, Amazon, and Google Cloud online. 

How to modernize your cloud penetration testing efforts with configuration review

It can be difficult to understand the difference between testing an application that is hosted in a cloud environment and testing the environment in which an application is hosted. Both are vital.

While network penetration testing and application penetration testing focus on identifying vulnerabilities on a particular series of assets within an environment, cloud penetration testing requires a different approach. Because the cloud is an environment itself, it is important to also look at the infrastructure supporting the environment, not solely the applications and assets deployed as a part of the workload. Not only are you testing workloads; you need to also identify issues inherited from parent subscriptions such as elevated IAM privileges or privileged access to sensitive systems and/or data.

Most organizations are testing cloud environments the same way they’ve been testing for years, resulting in a massive gap in attack surface visibility. If an organization truly wants comprehensive testing, a focus on cloud configuration should be a large component of your cloud penetration testing strategy.

A configuration review is used to inform a penetration test. If you were to approach cloud penetration testing the way you approach traditional application or network penetration testing, you would be blind to the configuration of the platform. 

An analogy that works well to explain configuration review is a doctor’s visit. If you want a doctor to identify what is wrong with you in an hour-long visit, you’d have to inform them of your symptoms, medical history, recent activity, etc. Without the background information on your health, it would require excessive time and resources to run blood tests, x-rays, etc. to get the information needed to identify what the potential issue is. A configuration review is similar in that it gives pentesters the ability to identify root issues in an efficient way, the same way a malicious attacker would over the course of months – or years. It allows pentesters to act as closely to an attacker as they can within the parameters of your security budget.

Configuration reviews also allow testing teams to provide context to penetration test findings. Say you misconfigured a storage bucket. With a greater understanding of the configuration issues, you gain insight into the root cause of critical vulnerabilities caused by the misconfiguration. For example, “we found an issue with this storage bucket which allowed us to exploit _____ during the penetration test.”

Another emerging concept within modern cloud penetration testing is continuous testing and monitoring. Cloud environments are ephemeral (have a short lifecycles) – so, we often hear the question: how helpful is the information from a cloud penetration test if the environment keeps changing? If you are reviewing the configuration of your cloud platform to support penetration testing efforts, you’ve set the foundation for cloud security success. To address the ephemeral nature of the cloud, more frequent tests and continuous monitoring of the attack surface is a key tactic to stay on top of newly introduced vulnerabilities. 

Final thoughts

Now is a better time than any to rally your security testing and cloud teams together to talk about what cloud testing means for your organization. When configuration review is included, cloud penetration testing allows you to not only test for vulnerabilities, but also develop an inventory of your cloud workloads, understand what data is in those workloads, and develop your testing plan for cloud-based applications.

The post Overcome Cloud Security Challenges with Purpose-Built Cloud Penetration Testing appeared first on NetSPI.

In fact, a recent Ponemon Institute Research report shows that 71 percent of AppSec professionals believe security is undermined by developers who don’t include proper security functionality early in the software development life cycle (SDLC). That statistic, to me, shows that there is a substantial divide between development and security teams, a divide that can (and should) be overcome. It’s not surprising, though, that these divides exist considering how teams are spread thinner everyday while aiming to increase release velocity. If we are going to solve these problems, we need to focus on creating human connections across teams, and a DevSecOps mentality will become not just policy, but also culture.

Come together by understanding motivations

In my experience, developers and security personnel don’t think that differently. They just have different incentives. Developers work to move through the SDLC quickly to get applications launched. Security teams, on the other hand, are incentivized to make the SDLC process as secure as possible, which is oftentimes viewed as slowing down progress by adding non-functional security requirements. If this is the viewpoint, it is no wonder that the groups may be at odds. Human relationships – even in the work environment – need to find common ground.

One of the best books I’ve read is Hit Refresh, the New York Times bestseller about the transformation happening inside Microsoft, from its CEO Satya Nadella. As Satya describes, “It’s about how people, organizations, and societies can, and must, transform and “hit refresh” in their persistent quest for new energy, new ideas, and continued relevance and renewal.” He is able to achieve this “refresh” he describes by being “out in the world, meeting people where they live and seeing how the technology we create affects their daily activities.” I believe in this philosophy and it has direct parallels to how we work in security.

Empathy for our colleagues and the relationships we develop with them is critical to achieving success within organizations because we can understand how the policies and procedures we develop impact their work and why the outcomes we expect often don’t materialize. Some may view empathy as letting people off the hook for not performing a specific task. But it’s important to connect empathy with accountability. By understanding the needs and incentives of our peers, we develop policies and procedures that are fair and transparent. Holding each other accountable is not only fair, but expected – as a result, security and development teams will uncover creative ways to collaborate to ultimately achieve overlapping goals, faster and with less friction.

Simple steps to start building a strong and productive relationship between development and security teams are:

• Spend time connecting with people – A Journal of Experimental Social Psychology study reported in the Harvard Business Review that face-to-face meetings are 34 times more successful than email. This also provides a forum to develop a mutual understanding of each team’s incentives and mission. Or, if working remote, set up a video conference between security and development teams.
• Creating processes together – Oftentimes development and security teams build processes separately, in a silo. Coming together at the start will help to develop realistic and cohesive goals, processes, and metrics. Further, each team can help to make the case for support, even financial or budgeting support, if necessary for the other team. There have been times in my career when I was able to secure additional budget or resources on-behalf of infrastructure or development teams to ensure they were able to support a specific security initiative.
  • “What do you need to effectively support this? I’ll do my best to include it in the project budget.”
• In a ticket-driven world, cleanup is essential – Stacks and stacks of IT tickets notifying of vulnerabilities will never motivate an already stressed development team, especially if they are not deduplicated and remove false positives. Taking the time to clean up this process will show developers that the security team does not want to waste time, respects their SDLC counterparts, and wants to quickly get to the root of any vulnerability issues, particularly high-severity issues. Tickets are important for tracking and accountability, but let’s make sure we’re giving the right information, to the right person at the right time.

• Leveraging automation, in combination with manual pentesting – An effective, reimagined AppSec
  program includes being able to manage manual penetration testing and secure code review 
  augmented by automated vulnerability discovery tools that are deployed at various phases of the SDLC process. Shifting to this mindset will take collaboration and commitment amongst the DevSecOps teams.
  • “What tools make the most sense and how can we maximize the value of existing investments?”
  • “What is the roadmap for the development team and how do we ensure we can grow together?”
• Bringing empathy to the situation to have credible conversations – Allowing openness and a safe space to say “I don’t know, but I’ll get the answers” will go far in building a strong DevSecOps team. At the end of the day, we’re all supporting the same business and striving for excellence. Let’s work smart, lead with integrity, and treat each other with respect to ensure we meet that end goal and, hopefully, have a little fun along the way.

It’s come to be expected that security is an emergent property of software. In fact, with Continuous Integration/Continuous Deployment (CI/CD) being adopted more and more, both development and security teams must come together, bringing empathy, accountability, and collaboration into the process, by working toward the same goal with transparency. When done, I’m confident that DevSecOps can become the norm.

The post Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster appeared first on NetSPI.