It is becoming easier for misconfigured cloud infrastructure to be exposed to the public because more developers are creating and publishing cloud infrastructure. There are a lot of tools for finding misconfigured cloud infrastructure in production, but there haven’t been many easy ways to make sure it was done right in enterprise development, that was palatable for developers. That is why I set out to build something that would make it easy to secure cloud infrastructure in development, using a developer first approach, and that’s what we’ve done at Soluble.
By Richard Seiersen, Co-Founder, Soluble
My company is focused on what the industry is calling “developer first” for security. I observe that developers have been executing infrastructure and now security. Everything is oriented towards making them more efficient and reducing costs and creating more velocity, and the security industry is having a real problem with this because everything they do from go to market, how their sales are incentivized and organized, to how they built their software and systems is antithetical to that sort of approach.
Lessons for aspiring startup founders
I'll quote something that I learned at GE, and that is “do all the wrong things first.” I heard Edison said this. It was more just a reflection on the reality of invention and learning. In short, there will be a lot of trial and error – and part of that error is just choosing to do the wrong things. What I am learning is, to the smallest, most useful thing first.
Constrain your problem and your solution and make it tiny. Solve one real problem really well. You may have a hypothesis about what that is. You may think that you're going to solve a problem that you have. The problem that you have may very well not be recognizable by anybody else, so you've got to take that tiny thing and quickly, not in months, but maybe in weeks or days, get that out in front of people and get responses, and learn. Be fast. Choose something tiny to solve and get that out there so that you can get feedback.
There's a billion blog posts that speak to this, but you won't do it. You will, “do all the wrong things first.” And that just means you're normal. But if there's any encouragement, you can at least get to this faster through a tiny, constrained problem.
I’ve been on both the vendor and operations side of things. I've had both the perspective of the builder and the buyer. And for the aspiring security startups, entrepreneurs, and founders out there, I urge you to focus on a very specific problem and persona. That can be very hard for a founder if they don't have both the operational experience as well as the entrepreneurial experience. But if you haven't lived in the ‘salt mines,’ so to speak, you haven't had the experience, and it's going to be all that much more important for you to get that small thing out in front of somebody so you can get feedback.
That's going to be key if you're a month or two in and you're building away and you haven't talked to several dozen different potential customer types, from the individual contributors to executives, you're probably doing it wrong. You have to get in front of people quickly. Also, because we are talking about cloud security, I would add that what it means to do security is really changing. If you look at more modern digital transformation, you look at cloud native development areas, and infrastructure has shifted left.
Shift left is a security term, and what it really means is that operational processes are shifting left. And more to point, they are becoming software defined and executable by developers. Of course, a lot of this is a function of the public cloud. Its taken away operational overhead as well as enabled more software defined operations.
Starting about 10 years ago, we were able to define our infrastructure and our stack as code. So we started seeing infrastructure as code materializing like Hashicorp’s terraform. There were less and less click ops materializing cloud infrastructure. As we started seeing more infrastructure as code (IaC) and APIs, we started seeing less people with the word ops in their job titles. Meaning, the pure ops person largely doesn’t exist in more modern enterprises. IF they exist they are titled DevOps or Site Reliability Engineering (SRE)… Infrastructure continues to shift left.
Now we have serverless. We have functions as code. We have distributed computing with Kubernetes. But all these things are oriented towards enabling the developer to be independent, to have freedom and responsibility. We're seeing more and more infra capabilities go right to the developer.
What does that mean for security? What is the role of a security practitioner? You need to think about the fact that the personas are really shifting, and in many cases disappearing. You need to focus on what is the outcome of this. We don't know who's going to execute it in this case, but nine times out of 10, it will be developers. And so as you're an entrepreneur, considering what you're going to do, you just need to realize that the old school security application babysitter, the rack in the stack—anything that's associated with ops, those roles are really going away.
How to address the shift-left world
This is where entrepreneurs need to be focused on from a security perspective: how do I address this new shift-left world? What does shift left mean? It doesn't mean the security persons are shifting left. It doesn’t mean the security processes are shifting left. It means infrastructure and everything has gone to the developer. And that means that security as a capability needs to materialize in that context as well.
Necessity is the mother of invention and boredom is its father. When I was at Kaiser, I was responsible for a big chunk of security operations across the United States – it was a massive environment. I was very concerned and dissatisfied with the taken for granted approaches for prioritizing risk.
I started to look outside of security for better risk management approaches. I looked at statisticians, and people who are in decision analytics, etc. This is how I ran across my co-author Doug Hubbard. He is one of the industry leading measurement experts. A true generalist working across Big Pharma, Industrials, Military, Sports, Entertainment and etc. We took predictive analytics methods he used there and brought them to security.
I think measurement is going to be a key part of the next generation, modern security practitioner skill set. We will be in more of an assurance and governance mode as security execution moves closer to the point of value creation - development.
Afterall, you have to have someone who's checking the doers, particularly if you're in regulated environments; if you're in financial services, health care, or you're in some sort of governmental related thing, or even if it's retail, if it's something that serious business, you have to have someone who's ensuring there's accountability. So measurement is the best way for me to know and to scale out accountability.