In the ever-evolving landscape of software development, the mantra "you build it, you own it" has long become a guiding principle for engineering teams. Our industry is quickly maturing with engineering-centric security advancements like integrated continuous testing, continuous compliance, policy as code, and runtime insights. But let's face it, these innovations are still mostly accessible to the market's upper echelon who have many resources that are running mature programs. For the rest of us, the security programs still come complete with oracles and fortune tellers who rely on anecdotes, personal experience, and which tools give them more detections. Because more is better, right?
Teams need a robust, reproducible, and reliable security approach rooted in a more scientific or engineering-centric approach. They need build-time detections, runtime insights, and coordinated action rather than just a consolidated view of findings. So, why is this so difficult to achieve?
Security theatre vs. effective security
The combination of increasing complexity, continuous flux of technology, and adversarial tactics makes a more scientific approach to cybersecurity difficult. “There are few empirical results that can guide risk mitigation decisions,” which led Daniel Woods and Aaron Ceross in their seminal paper to conclude that, “legal reasoning will increasingly influence cybersecurity decisions relative to technical and quantitative reasoning.” As this happens, “Risk decisions may be guided by concepts like reasonableness or appropriateness rather than effectiveness… Whereas an effectiveness criterion strives to be better than current practice and rewards innovations that do so, reasonableness emphasizes following established practices and may even punish deviating from them… Firms should follow ‘established recommendations’ offered by regulators. Deviating from such recommendations brings legal risk unless the deviation is based on scientific knowledge, which is broadly unavailable.”
This makes sense in the world of security and legal theory. When you’re the one building an application on a deadline, an approach that favors security theater to real results is often disastrous. We see this type of flawed thinking all the time in practice:
- Overly restrictive access controls: Creating multiple layers of approval for simple file access or implementing overly complex permission matrices to satisfy compliance requirements. These often hinder productivity and lead to workarounds that compromise security.
- Purchasing unnecessary security tools: Renewing, or worse yet, buying new firewalls despite not having a real network in order to satisfy compliance requirements.
- Periodic security audits without continuous monitoring: Relying solely on periodic security audits to meet compliance requirements, and neglecting the need for continuous monitoring and real-time detection leaves gaps in security posture between audit cycles.
- Controls that are not effective: Mandating regular password changes and sending people through phishing simulations undeterred by the trade-offs these come with.
- Generic security awareness training: Mandating one-size-fits-all training sessions that check the compliance box but fail to engage employees or address specific threats relevant to the organization.
These examples highlight the pitfalls of a compliance-first mindset, where the focus is on ticking boxes rather than adopting practices that genuinely enhance security. While compliance is important, it should be viewed as a baseline rather than the ultimate goal.
Bringing together the best of both worlds
Imagine being able to see exactly what’s running in your production environment, with dynamic updates keeping everything fresh and relevant across your estate. Production insights can help those building applications prioritize what needs to be fixed and what can wait. They also make it easier for teams to produce the artifacts needed to prove they’re staying in line with regulations. Both ultimately reduce legal risk and save precious cycles triaging and auditing low value detections.
New Relic Vulnerability Management integration with FOSSA integrates compliance with modern security practices. FOSSA isn’t just at the forefront of software composition analysis (SCA) and software bill of materials (SBOM) management; they’re also deeply committed to engaging with the developer community because as compliance requirements multiply, the gap between compliance and security widens.
Together we’re able to deliver security information in context, where it’s not a separate concern but an integral pillar of reliability. Leveraging New Relic Vulnerability Management provides you with an inside-out view of your application, thanks to our deeply rooted history in application performance monitoring (APM). You can see all dependencies loaded, even those indirectly exposed, giving you a deeper understanding of the context and real-world impact of a vulnerability. Combining insights from repo to release helps you understand the areas that pose a real risk to your business and allows you to focus on the most critical issues while not getting bogged down by noise.
The solution: New Relic Vulnerability Management and FOSSA integration
This integration marries FOSSA’s powerful build-time SCA capabilities with New Relic’s runtime production insights, delivering a comprehensive security solution that enhances real-time accuracy, streamlines remediation, and ensures compliance. Here’s how it works:
1. Real-time accuracy: Gain a live view of what’s actually running in production with dynamic updates, ensuring that the results are always fresh and relevant. This real-time accuracy allows teams to maintain an up-to-date understanding of their security posture and respond swiftly to emerging threats.
2. Streamlined remediation: Highlight components that are actively loaded and potentially vulnerable, helping prioritize remediation efforts where they’ll have the most significant impact. By focusing on the most critical issues, teams can address vulnerabilities more effectively and reduce mean time to resolution (MTTR).
3. Actionable intelligence: Correlating results across the software development lifecycle (SDLC) enables more informed decision-making. Combining FOSSA’s build-time insights with New Relic’s runtime data provides a holistic view of vulnerabilities, empowering teams to take decisive action with confidence.
4. Compliance assurance: Generate and manage accurate and up-to-date SBOMs with ease, ensuring compliance with industry standards and regulations. The integration minimizes friction between developers and security teams, fostering a collaborative approach to maintaining compliance and security.
Many organizations lack the resources and staffing to achieve compliance and real security, but we want to change that. Instead of focusing on detecting more problems, together, we’re providing contextual insights that save time by allowing engineers to be self-sufficient, well-equipped with the right tools, and supported with prioritized security insights. Most importantly, we want to help foster a culture of continuous improvement so organizations can achieve both regulatory compliance and robust security.
This integration marks a significant step forward in developer-centric security and the Secure Developer Alliance. With this integration, we’re making security and compliance less of a headache and more of a seamless experience. Security theater is becoming a thing of the past and teams can focus on real risk while still meeting compliance obligations.
Stay tuned for more updates on this powerful integration. Together, New Relic and FOSSA are paving the way for a future where developers are the vanguard of a secure, reliable, and compliant digital world.
Próximos passos
Get started today with New Relic Vulnerability Management
If you have a free New Relic account, you already have access to New Relic Vulnerability Management if you’re using a supported agent. To learn more, contact your New Relic account representative and get started.
Don’t have a New Relic account yet? Sign up for free today. Your free account includes 100 GB/month of data ingest, one full user, and access to Vulnerability Management.
Don’t have a FOSSA account yet? Sign up for free today. Your free account includes 5 managed projects, license identification, vulnerability management, and basic teams/roles.
As opiniões expressas neste blog são de responsabilidade do autor e não refletem necessariamente as opiniões da New Relic. Todas as soluções oferecidas pelo autor são específicas do ambiente e não fazem parte das soluções comerciais ou do suporte oferecido pela New Relic. Junte-se a nós exclusivamente no Explorers Hub ( discuss.newrelic.com ) para perguntas e suporte relacionados a esta postagem do blog. Este blog pode conter links para conteúdo de sites de terceiros. Ao fornecer esses links, a New Relic não adota, garante, aprova ou endossa as informações, visualizações ou produtos disponíveis em tais sites.