Generally speaking, security validation aims to answer the question “Are we vulnerable?”
The constant expansion of attack surfaces through the connection with third parties, the addition of digital transformation applications, the accelerated migration to remote working, and the accrued adoption of cloud computing have created a situation that drastically complicates a comprehensive discovery of assets and the ability to continuously track and remediate vulnerabilities.
Coupled with the rapid changes in applications pushed out by DevOps to keep up with business, competitivity and operational demands, it makes evaluating the resilience of the infrastructure solely with a risk-based vulnerability management system a losing proposition.
To complicate matters even more, DevSecOps must continuously dance the ‘performance versus security’ tango, where the board insists on removing security friction to facilitate rapid business processes covering the entire business gamut, from HR growth to customer acquisition and product development and they need to push back to preserve the enterprise’s security and compliance.
To continuously achieve that generic goal, security validation is crystallized into three main subgoals.
The Three-Pronged Goals of Security Validation
To understand its main goal of assessing a company's security posture,
it helps to divide security validation’s mission into three sub-goals:
Confirm or Correct the Security Assumptions
Derived from Detection and Defensive Tools
Without a thorough security validation process, DevSecOps rely exclusively on the results
emanating from detection tools, whether they are network security monitoring, web
vulnerability scanning, data loss prevention, endpoint detection and response, network
defense wireless solution, packet sniffers, antivirus software, Web Application Firewalls or
simply regular firewalls, Public Key Infrastructures (PKIs), managed detection services, or
other.
The problem faced by all these tools is they can only measure what they can detect.
By definition, what they miss will be undetected. Sadly, what is
undetected is also what is most likely to result in a successful breach.
By posing as an attacker, and launching production-safe attacks, the security validation
process aims at uncovering both detected and undetected potential entry points.
A complete security validation will not end at uncovering potential entry points, it will
operationalize the MITRE ATT&CK scenarios to explore all potential lateral movements,
thus revealing potential escalation paths.
Using an attack-based vulnerability patching prioritization approach, the uncovered
vulnerabilities can be scored according to the highest danger they pose to the validated
environments and a patching schedule can be established accordingly.
Monitor and Manage the Security Drift
The data collected in the previous step can be used to establish baselines of acceptable risks, continuously measure the variance from the baseline, and apply corrective measures to maintain a constant, stable security posture.
This continuous monitoring of variance from baselines is critical to maintaining the security posture regardless of changes to the environment and new threats.
As a bonus, quantified monitoring of these baselines facilitates communication with the board with numbers, trends, and other specific measurable data.
Rationalize and Optimize Detection and Defensive Tools Stack
The tools used to run security validation processes should be integrated with the existing detection and defensive tools.
As such, they can compare the performance of those tools when faced with an attack, by checking the number and types of attacks launched with the number of attacks detected.
This 360° visibility in the efficacy of the defensive tool stack is key to optimizing it and avoiding tool sprawl.
Granularly evaluating the efficacy of each tool as well as the number of times an attack triggers an alert enables eliminating tools with overlapping functions, improving existing tools configuration, and eliminating underperforming tools.
The end goal is to achieve a streamlined defensive tool stack with increased and quantifiable efficacy.