_Paul_Markillie_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,630&ssl=1 "From Pothole Repair to Road Building")
There are three categories of security controls, generally speaking: preventive (stop the adversary), detective (notice the adversary), and corrective (fix what the adversary broke). Implicitly, all three of these assume that the adversary can exploit your environment, and you’re trying to defeat them. But why do we assume adversaries have that capability? Because, like an escort mission in a real-time strategy game, we have no control over the actions of the party we’re defending. Instead of a courier on a secret mission, it’s our business partner, deploying apps at lightning speed to make our businesses successful.
Finding the Security Potholes
Security teams find themselves in a never-ending quest to document, inventory, and prioritize every problem that gets left behind in their mad dash. Engineering teams have so little bandwidth for remediation activities that picking the best fix becomes the most important need for a security team, and the industry has responded: Security posture management tools litter our industry, promising to help chief information security officers (CISOs) identify the things that matter, from cloud security misconfigurations to software supply chain vulnerabilities to software-as-a-service (SaaS) provisioning.
Finding the security potholes was a fine strategy when security teams had time. Security teams used to have a lot of time to inject themselves into the software engineering process. Remember the waterfall model? Software development teams, using a bureaucratically slow design, development, and deployment process, took what felt like forever to get software out onto production systems. Security teams could identify problems and have them corrected before systems even came close to deployment. That approach — rapidly responding, faster than software teams could proceed — became hardcoded into security philosophies, even as software teams embraced agile, continuous deployment methods that accelerated them until they outpaced security teams.