A competitive business environment demands security that keeps up with the speed and scale of innovation.  Fast paced security has caused us to learn some additional things about testing and building security into software.  #RedTeamMonday was designed to enable prioritized security remediation to unlock safe innovation at scale.    If you caught one of my earlier posts What is DevSecOps?, then you are already familiar with the notion of game theory.  This post explores a Red Team approach to building Security into Software and Services organizations to achieve rugged results in support of DevSecOps by applying principles from game theory. 

As you might already be aware, enemy attackers are directly competitive to the interests of an organization, whether that be revenue, productivity, availability, or safety.  The purpose for an enemy attacker is to achieve gains and/or anarchy.  Through a great deal of experimentation, we chose to prove that game theory applies to reducing the impacts of attackers who hack software.  In this case, one ofthe best means of slowing a competitor is to increase their competition in the form of another collaborator, or implement a friendly group of attackers on behalf of the company that hunt the same opportunities as enemy attackers, aka a Red Team. 

According to wikipedia, a Red Team is an independent group that challenges an organization to improve its effectiveness.  Without a Red Team, companies are more likely to approach security by believing that attackers are slow moving and that things hardly change within their organization.  But the competitive landscape brings with it an unfriendly business environment, one that is mostly unpredictable and ever-evolving, ie. just a little bit crazy.  Companies that engage in point-in-time assessments, look to security leaders to "approve" decisions, and those that grant long-term exceptions will undoubtedly increase their business risk.  In other words, because an organization bargains down its security mechanisms with itself, it may unknowingly create a superior position for an external attacker. 

Security is not friction for friction's sake.  Slow moving security programs can cause frailties by enacting rules of engagement and policies that make it impossible to truly secure company resources.  And more importantly, slow security can give an external attacker a degree of competitive advantage that makes it that much harder to protect a business and its customers.  But what if.... That's right, what if you could make a change that drastically alters how security operates in order to get it built-in from the start?  A Red Team is a great start but what if everyone in your company can get engaged? 

First and foremost, security must be distributed throughout an organization and implemented as a built-in set of features from end to end.  This means that security must be included as features, non-functional requirements, and operationalized to be fully effective.   Software security must be included within the Continuous Delivery processes to give Full Stack Engineers with the greatest context the ability to make security decisions with speed and scale.  Security controls are implemented closest to the workloads they serve to protect.  And finally, security mechanisms must be tested without constraints to ensure they are quickly improved.

There are many people throughout the world that have told me their company has a Red Team.  From Financial companies, Software & Services, to Healthcare companies, these businesses are among the most progressive in the business.  And they have lessons that suggest that engaging the whole business in a fight against external attackers can be quite valuable.  In fact, these companies have the battle scars from breaches caused by frailties that came from building rules of engagement and formulaic policies that were designed to protect them.  Now, they've found that running a Red Team and Continuous Penetration Testing Programs have shown the most success in reducing security frailties and low-hanging opportunities that external attackers thrive on.  And these companies have extended their security programs to embrace a whole company Blue Team approach, for example Facebook and Netflix.

Taking risks is part of business, which means it is essential to create balance by understanding directly what risks are being taken and how they might impact the environment.  And companies have the opportunity to take it further by cooperating across the industry to reduce the threat of external attacks.  In fact, companies that might be nervous about sharing IOC information still have a lot of opportunity to get involved and hep build secure components or help to test them. It’s not enough to simply security your organization but to realize that increasing attacker competition has the benefit of making technology safer.

It's time for every company to engage Red & Blue Teams within their organization to improve security using a more realistic approach.  Getting started can be as simple as picking a day every week and evaluating the security for your organization - for example #RedTeamMonday.


Shannon Lietz

Shannon Lietz is an award winning leader and technologist focused on advanced security, DevOps, and cloud adoption.  With 25+ years experience, she has found her passion in helping others secure their technical projects to solve the world’s problems at speed and scale.  She currently works at Intuit as the Director of DevSecOps and Chief Security Architect.  She is inspired by great collaboration and high performing teams focusing her time and energy on fostering the adoption of Rugged Software practices with DevSecOps.