{"id":97073,"date":"2019-02-14T06:00:14","date_gmt":"2019-02-14T14:00:14","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=97073"},"modified":"2019-05-06T15:34:16","modified_gmt":"2019-05-06T22:34:16","slug":"focus-security-first-coding-next-feature-set","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/02\/focus-security-first-coding-next-feature-set\/","title":{"rendered":"Focus on Security First, Before Coding the Next Feature Set"},"content":{"rendered":"<p><em>Before you start working on the next set of product features, I implore you to do a security assessment.<\/em><\/p>\n<p>As we were about to run through a roadmap planning session recently, I got to thinking about the earlier days in my career. Back then, the list of things that needed to be built just to get a viable product on the market was overwhelming and seemingly never-ending. Everyone feels that way at the beginning of a development project, and often the things that can\u2019t be seen by customers and end users \u2013 like security \u2013 get pushed to the bottom of the backlog.<\/p>\n<p>Because we are a security company focused on delivering industry-leading security to the enterprise, we start monitoring for and fixing security bugs early in the development lifecycle. However, we work with organizations each day that are a few years into building their products and running in the cloud, and security is only now becoming a priority. Don\u2019t get me wrong, I\u2019m thrilled that security made it to the top of the priority list; I just wish it happened sooner.<\/p>\n<p>Here are some of the lessons learned from years of working with Dev and DevOps teams.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>There are always critical risks<\/strong><\/p>\n<p>No matter how careful you are, there are always high-priority security risks and bugs introduced into your cloud ecosystem. Recent <a href=\"https:\/\/start.paloaltonetworks.com\/5-key-cloud-security-trends\">analysis by Unit 42\u2019s cloud research team<\/a> has determined that 29 percent of organizations have potential account compromises. Sure enough, since May 2018, we have seen multiple high-profile breaches resulting from this emerging threat vector. We\u2019re just human, and we get distracted. Or we miss checking a box or forget to copy over a block of code this one time. It\u2019s okay to make mistakes; they just need to be fixed. Even the best, most security-minded teams end up with open SSH ports, misconfigured security groups, or haven\u2019t turned on multi-factor authentication for their cloud accounts. It\u2019s important to do the necessary checks and get these things fixed.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Start early in your development lifecycle<\/strong><\/p>\n<p>Security needs to be checked all along the way. If you catch risks early, development won\u2019t have to go back, unravel and perhaps rebuild too much, thus leaving you time to get to more of that feature list. I\u2019ve seen too many product timelines get derailed because critical security flaws were found too late in development, causing months of delays, along with lost productivity and revenue. We always advocate having different cloud accounts for dev\/test vs. production. You want to be able push code and spin up the infrastructure and cloud services as you will run them in production so you can be sure you\u2019ve got all the security groups and access controls configured correctly. (That\u2019s just one example \u2013 there are dozens of things to check for along the way.) This way, when it is time to deploy to production, it is a much smoother process; and you can have some confidence that your cloud environment, your product and your data are secure.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Hackers have automated their hacks \u2013 it\u2019s time to automate security<\/strong><\/p>\n<p>Just like Dev and DevOps have automated processes to move faster, so, too, have the hackers. They can scan entire regions in less time than it takes you to install the latest Microsoft update. That means that you have to be diligent about your security hygiene. Security automation helps by continuously scanning and assessing all your infrastructure settings, so if a bug or risk is introduced, you can remediate the issue fast \u2013 before the hackers find it. With the right tools and a little bit of dev time, you can automate security policy enforcement so you can nuke high-risk services before the hackers find the open door.<\/p>\n<p>As our thoughts turn to the next feature set we\u2019re going to build into our respective products, I\u2019ll make just one last argument for putting security at the top of your list, too.\u00a0 Whether you\u2019re building for B2B or B2C, customers are getting more and more savvy to both security and privacy best practices. Building in strong security components and implementing security automation could be among the most attractive and differentiating features you develop this year.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><em>RedLock\u00ae public cloud security and compliance service, part of the Palo Alto Networks Security Operating Platform, provides a focused cloud console for monitoring the security and compliance states of your Google Cloud Platform, Amazon Web Services and Microsoft Azure\u00ae environments. <a href=\"https:\/\/start.paloaltonetworks.com\/redlock-14-day-free-trial.html\">Learn more here<\/a>.<br \/>\n<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Before you start working on the next set of product features, I implore you to do a security assessment. As we were about to run through a roadmap planning session recently, I &hellip;<\/p>\n","protected":false},"author":631,"featured_media":94587,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6717,6768],"tags":[1166,1665],"coauthors":[6733],"class_list":["post-97073","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products-and-services","category-secure-the-cloud","tag-cloud-security","tag-devops"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/11\/generic-social-media-facebook-shared-image-b-1200x630.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/631"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=97073"}],"version-history":[{"count":7,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97073\/revisions"}],"predecessor-version":[{"id":97141,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97073\/revisions\/97141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/94587"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=97073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=97073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=97073"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=97073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}