• United States




Security starts at source code  —  in the cloud

Sep 27, 20176 mins
Application SecurityCloud SecurityCompliance

Enterprises are overwhelmed, spending more every year and still losing. Something is missing. By ignoring the root cause of the issue, vendors are simply stacking more and more software on top the same post-deployment problem.

Internet of things smart city with icons
Credit: Thinkstock

For years enterprises have been happily spending billions of dollars on “cyber security” to deal with an ongoing cat and mouse game — corporate IT security.

Here is how the game works: every week a new threat appears, and every week a new feature is released that controls the issue. Security vendors continue to innovate and release a slew of new tactics like endpoint security, malware detectors, crowd sourced analytics and now machine learning to keep up with the rapid pace of threat evolution.

In what is still is a cat and mouse game of “the enterprise playing catch up,” the threats are now so complex and the solutions so esoteric that the typical enterprise follows what others are doing instead of taking a deep look at their own security strategy holistically — who can blame them, everyone is super busy right? To compound it further, mindshare of the CIO still sit in post-deployment security exclusively.

The solution landscape is fragmented; hundreds of companies in dozens of subcategories. It’s a byproduct of point solutions addressing individual threats for post-deployment scenarios. Furthermore, according to the Cisco 2017 mid-year security report, hackers are taking advantage of the situation:

“The dramatic increase in cyber attack frequency, complexity, and size over the past year suggests that the economics of hacking have turned a corner, according to Radware, a Cisco partner. Radware notes that the modern hacking community is benefiting from quick and easy access to a range of useful and low-cost resources.”

The report merely affirms what the boardroom already knows — the security gap is widening as traditional endpoint, and perimeter based security solutions are no longer enough to protect digital data. Security Incident Event Management (SIEM), Identity and Access Management (IAM) and emerging technologies such as cloud-based malware sandboxes, cloud-based data encryption and web application firewalls are the fastest growing cloud-based security services segments. Yet, all of these solutions double-down on post-deployment scenarios.

Internet of Things city superimposed on padlock Thinkstock

Threats persist and are now plaguing Network Operation Centers (NOC) with “Alert fatigue.” Security talent is at an all time low — shortages everywhere, while the demands of the NOC are blowing up. Many security personnel see far more daily alerts than they can investigate, leaving potentially serious threats unaddressed. There are several causes of alert fatigue. Siloed systems may create duplicate alerts, or teams may not have the knowledge to distinguish between low and high-priority alerts, or false positives. They may lack auditing tools such as auditing that can determine the source of potential threats. There are now so many tools and so many events happening that organizations have started to purchase products to consolidate and filter these events to handle the post-deployment threat crisis. Enterprises are overwhelmed, spending more every year and still losing.

Something is missing

By ignoring the root cause of the issue, vendors are simply stacking more and more software on top the same post-deployment problem.

”We must fundamentally change the lens around the security lifecycle and address the fact that before software grows up — into the products that are deployed and consumed by enterprises — it is born as code. Code is born in version control.”

If code is born in version control does it not make sense to detect, mitigate and remediate the security issues at the source — instead of later? If not addressed early on, the code will surely transform into IT backdoors, data breaches and other threats that could be catastrophic for an organization’s brand? Just look at the recent release of the Apache Struts vulnerability that affected nearly all Fortune 100 organizations. The simple vulnerability had been sitting there for years.


I’ll use an analogy; what sense does it make to build stronger doors, thicker walls and larger fences around a home when the bad guys are already in the house? Those tactics are important yes, but what is most important is looking at how bad guys were able to enter the house in the first place.

I believe in holistic enterprise security. I believe in defense-in-depth. Securing code at the point of birth. Not just post-deployment, but pre-deployment as well. For too long have CISO’s ignored their most vulnerable asset their source code — when making security investments. Security does not mean loss of agility or speed — in fact with the Cloud, it means just the opposite.

I believe the world can be a better place if there are less vulnerabilities, less attacks, less people being held hostage by nefarious actors due to software vulnerabilities, and less money wasted on band-aid point solutions. As a community of software developers and service companies it is our job to protect our end customers. Let’s do so by starting with source code security!

So why now?

More and more enterprises are under pressure to move to the cloud. Competition, budgets and the unrelenting pace of innovation is forcing organizations to rethink on-premise investments. Security takes a back-seat as pace becomes an over-riding KPI to success. It’s time to make a serious push to the cloud and I’ll tell you why.

The cloud is where new services are created. This is where the innovation is occurring and software development teams are taking notice. Productivity and quality can be greatly enhanced by leveraging a myriad of cloud tools in your software development process (SDLC). If you don’t already know — your developers are probably already doing this—maybe in secret. But what if they could do it without compromising security? What if they could do it as part of your comprehensive corporate IT security strategy?

At Assembla, where I lead technical strategy, we are answering this issue for our customers by doubling down on Subversion (SVN), making major enhancements to the centralized system, and making it available in the cloud. We’ve found that enterprises run on SVN, which powers mission-critical projects with front and center compliance requirements. Until recently, enterprises have been forced to settle for distributed version control and non-trunk based development to get to the cloud.

Whether it be SOC II, HIPAA or the EU’s upcoming GDPR we live and breathe compliance and have built a suite that lets your development move to the cloud while meeting stringent standards.

Your next steps are clear: speak with your development directors and find out…

  • What policies exist for managing our code & open source?
  • Is there a list of components used in all of our applications?
  • How are we creating the list and auditing it?
  • What controls do they have to ensure unsecure libraries slip through into our software?
  • How are we tracking vulnerabilities for all components over time?

Stay tuned for more updates on enterprise cloud version control by following me or get on Twitter to stay up to date.


Jacek Materna is a technology evangelist and cyber security expert with more than 15 years experience. As CTO of Assembla, Jacek leads the strategic vision for the company’s technology practice.

In this role Jacek consults frequently with customers to better understand needs and concerns regarding the future of Version Control and how Assembla can best help meet those needs.

Prior to Assembla, Jacek was the SVP of Engineering at Securelogix, where he led product development for the VoIP and SIP Security software business. Earlier in his career, Jacek founded a number of technology businesses in and around VoIP security. Jacek holds patents in the space and writes frequently on topics such as enterprise cloud version control, compliance, data security, game development and cloud software development.

Jacek regularly advises South Texas incubators helping to grow the next generation of security and compliance companies.

The opinions expressed in this blog are those of Jacek Materna and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.