Development teams are earning their keep (and then some) during the pandemic, keeping up with — and staying ahead of — prevailing 2021 trends in eCommerce and mobile security.
PYMNTS May 2021 Solving The Performance And Security Equation: The New Rules For Secure Web Apps And APIs Playbook done in collaboration with Fastly, notes the importance of internal collaboration as a key to success securing mobile systems with cloud-based surety.
Per the new Playbook, “adding security operators and their preferred toolkits at the end of the deployment pipeline is not the same as unveiling a scalable, long-term security strategy. An authentic and secure DevOps approach provides a path for meaningful communication between security and DevOps teams, granting SecOps insights that can impact the development process as it is still ongoing. Security teams should not be brought in at the last minute to submit a list of vulnerabilities and hope they get fixed before a system goes live.”
That’s one observation among many in Solving The Performance And Security Equation, which stresses that teams need “a collaborative engineering mindset” and security tools “that enable the entire organization to deliver secure software” while also reducing friction and complexity.
Defining Critical Configurations In The Cloud
Illustrating how major players are navigating the DevOps/SecOps waters in 2021, Solving The Performance And Security Equation looks to personal finance app and platform Stash as a prime use case in fostering collaboration and communication between the teams.
Stash VP of Information Security Gavin Grisamore told PYMNTS, “The outdated model of defining a security perimeter and trusting internal access is a significant issue that has caused many exposures in the industry, particularly as organizations move to public cloud offerings. When working in the cloud, organizations must understand that the configuration is changing daily or sometimes hourly,” making visibility into configuration changes and exposures critical.
As use of apps and application programming interfaces (APIs) increases geometrically, and with consumer security fears rising, financial firms desiring new customers must rewrite rules to guide development teams now.
For example, understanding that attackers are also developers is an important mindset. “Realizing this makes it easier to understand why modern threats outpace legacy security models,” per the Playbook. “Agile attackers employ advanced DevOps workflows to quickly attempt, adjust and deploy new methods.”
To counter this, companies must “require tools that offer real-time visibility into both automated and manual workflows. These tools should apply logic in real time for threat examination while also enabling operators to react quickly to alerts that require human intervention” and “use a solution that powers real-time responses. Organizations need to see and interpret traffic in real time, but they must also be able to quickly deploy new rules in response to changing threats.”
Protecting Business Logic With Scalability
To summarize, those issues mostly revolve around overreliance on old-style signatures, siloed legacy tools, limited uses of older tech, and cumbersome “vendor sprawl.”
As the Playbook states, “Strong security does not happen without true visibility — accessible, real-time data on systems’ statuses across any cloud, container, platform or architecture. Making products secure and scalable should not require frequent customization either. The right security approach will address a spectrum of security issues — including protecting against Open Web Application Security Project injection-based attacks to application-level DDoS and brute force attacks — at scale.”
“That level of protection starts with a security model designed to address threats to business logic, an approach that helps ensure the scalability of every product,” it concludes.