The way we build software has changed.
The world has moved on from virtual machines into containers and functions as a service (FaaS), and the trend toward distributed systems has forced us to rethink how we build security into our software. We build software to process more data than ever and the stakes have never been higher.
Focus On Security Early And Avoid Slowing Forward Progress
With an endless parade of high-profile breaches in 2017, we were reminded that maintaining a portfolio of secure software while under constant attack by hostile entities isn’t easy. We expect security perfection, but defect-free software doesn’t exist. When we ship software at the speed of light but allow security debt to accumulate year after year, it gets harder to make meaningful progress. If we don’t get a handle on security early and continuously — through a balance of human-driven intelligence and the appropriate automation — we’re not going to succeed.
Avoid The Trap Of Trying To Buy Security Tools To Kick-Start Your Process
Technologies such as containers, serverless functions, infrastructure-as-code and policy-as-code along with continuous integration and continuous deployment (CI/CD) models enable modern software teams to move faster than ever. Adding additional complexity and design considerations, container orchestration and distributed operating systems provide robust application programming interfaces (APIs) to manage and secure your services. While these tools provide immense security opportunities, they present new operational and technical challenges that many teams are not prepared for. If our approach to securing distributed systems is purchasing a pile of security tools, we’re doomed.
Assume Your Systems Will Eventually Be Breached Or Grow In A Way That Will Degrade Security
At AWS re:Invent 2017, Netflix discussed performing chaos at Netflix scale and how they test their software at scale to trigger faults in unanticipated ways. With the complexities introduced by modern software design patterns and platforms, identifying undesirable scenarios through intelligent and extensive automation is essential.