War Gaming's Role in Application Security
War Gaming teams up developers, operations and security personnel to launch attacks upon their own applications, systems and networks.
"Oh my God, they got into production by taking advantage of this password reuse! And they grabbed that password so easily with a simple piece of malware that they got from GitHub! And, oh my God, there was a dual-homed server over here!"
Then your question: "Were we that dumb?"
While attending Rugged DevOps Day during the RSA Conference this year, Sam Guckenheimer recounted the type of reactions that play out during Microsoft's War Game exercises.
War Gaming is a technique more DevOps organizations need to employ in order to improve their defensive posture. With attackers so persistent, your preparedness needs to match.
War Gaming teams up developers, operations and security personnel to launch attacks upon their own applications, supporting systems and networks -- aka Red Teaming. Simultaneously, Blue Teams are set up to monitor for attacks, identify breach points and defend the systems.
Let's face it, no one really wants to be attacked; let alone be a victim of a successful breach. But there are two kinds of companies: those that have been hacked and those who don't know it. To beat the attackers at their own game, you need to think, plan and attack like them. By purposely subjecting yourself to ethical, friendly fire, you can improve and harden your defenses.
"What would you rather have happen: Would you rather have somebody in China do this to you, that didn't work with you, that didn't sit next to you and help you fix the product?" questioned Scott Kennedy, security scientist and member of the Rugged DevOps team at Intuit. "Or would you like to have a friend whose job it is to attack?"
While improved cybersecurity has always been desired by DevOps teams, most have found that traditional approaches to application security are not well-suited to the new velocity of operations. War Gaming will improve your defensive posture -- and done right, it can also dramatically improve mean time to detect vulnerabilities, feedback loops and mean time to remediation.
In their seminal report, "The Seven Habits of Rugged DevOps," Forrester Research analysts Amy DeMartine and Kurt Bittner detail principles that teams can bring into the fold to help improve application security while continuing to increase speed and quality. The report shares habits practiced by Rugged DevOps teams including:
- Using the continuous delivery pipeline to incrementally improve security practices
- Standardizing on third-party software and then keeping it current
- Testing preparedness with security games
If you are leading a DevOps initiative, it's time to add War Gaming into your regimen. As remarked in "The Art of War" by Sun Tzu: "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
In early 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 106,000 development organizations. As a 20-plus year veteran of the software industry, he has advised many leading businesses on IT performance improvement practices. Derek currently serves as vice president and DevOps advocate at Sonatype. Derek shares insights regularly across the socialsphere on Twitter, LinkedIn and in online communities.