Cloud Native ComputingDevelopersDevOpsDevSecOpsFeaturedSecurityT3M: TFiR Topic Of The MonthVideo

Companies Are Still Not Doing Security Right | Or Weis, Permit.io

Swapnil BhartiyaBy 728 views
0

Guest: Or Weis (LinkedIn)
Company:  Permit.io (Twitter)

Permit.io is not just an infrastructure and API solution to add and manage permissions and access control. It provides end-to-end experiences, including user management with the ability to assign roles, API key management, audit logs, and approval flows.

In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Co-founder and CEO Or Weis to talk about current market trends, particularly in the DevOps and DevSecOps space.

Key highlights of this interview:

A lot of the problems listed 10 years ago in the Open Web Application Security Project (OWASP) Top 10 are still on that list, meaning, we haven’t solved security yet and we haven’t become safer by moving to the cloud, but we have been investing a lot of energy in it.

Everyone’s talking about new solutions and new practices to get better security, such as

  • software bill of materials (SBOM)
  • embedding security into Kubernetes with solutions like Falco
  • permission enforcement or authorization
  • open policy agents.

But in reality, companies are:

  • still implementing most of these security measures on their own manually.
  • still struggling to adopt security projects.
  • still applying security as an afterthought.
  • not applying security, even though they’re doing shift left.
  • giving their developers a lot more responsibility with security, but it is at the end of the chain, after they’ve built something.

The area that is now experiencing the most friction and causing most of the both hacks and leaks is the area around how we build solutions on top of the platforms, how we bake in application-level access controls on top of them, and how we allow access to data.

Data has become the most desired and most sensitive resource that companies are engaged with.

There’s essentially another race condition between the growth of complexity around data access and application access, and the tools that we have to organize and control to protect that access to the data. Currently, we’re not only lagging behind, but we’re not even accelerating enough to keep pace.

Hackers and attackers are already trying to manipulate generative AI agents.

Zero trust is not just a VPN, but a mindset that you build into your software. Case study: Open-source project that was created as part of Permit OPAL. Problem: How to communicate policies and data in real-time into decision engines. Solution by Permit: Decoupled the control plane from the data plane, the server instead of being exposed to all the data. Each of the clients (only if they are approved, only if they subscribe to, and only if they have the right access) goes directly to the data source and fetches it themselves. That means that they get out-of-the-box zero trust architecture. The server touches no data and there is no concentration of all the sensitive data in one spot. And each of the clients get only the data they need when they need it.

Unfortunately, there has not been a major cultural change. With DevOps, many companies just added more people to do DevOps, but the point was to have the developers do Ops. With DevSecOps, companies just added security people alongside their developers, but the point was to enable developers to do Opss and to do security. It’s not about separating the role to a separate person.

For DevOps and DevSecOps to be effective, companies need to:

  • Have their developers immersed in security. Motivate and help engineers work on security as part of their job and not just check it out as an afterthought or only when they have to do compliance.
  • Have developers use security by design when they’re building things.
  • Invest in training people.
  • Invest in giving people tools, examples, methodologies that they can adapt and work with.

For companies that don’t have the DNA built in for security:

  • Hire, look to add per team, one engineer that has some security background, but don’t make them as the head of security or be responsible for security. Have them work with the other engineers to teach them. Have them turn your other engineers into security-aware engineers.

Permit.io helps companies improve their security posture by:

  • Providing access control, which is hard to get right, unless you really are an expert in this.
  • Commoditizing access.

This summary was written by Camille Gregory.

You may also like