© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Guy Flechter, Cider Security: “pick one solution instead of several”

Nowadays, the rapid growth of cyberattacks forces us to consider new strategies to protect ourselves on a regular basis.

Some believe that in order to increase your security and privacy, all you need to do is to install a firewall or use a VPN to change locations. This is only somewhat accurate for most everyday users, and for businesses even more so, far more in-depth solutions are required as most of the challenges are caused by a lack of automation and human-related errors.

To address the necessity of layered security and the application of automated solutions in business, we invited Guy Flechter, CEO of Cider Security – the world-first AppSec operating system.

How did the idea of Cider originate? What has your journey been like so far?

My journey in the security trenches began almost 20 years ago, first serving in the Israeli Air Force and then becoming a security consultant. My work in consulting led me to LivePerson, where I met Daniel Krivelevich and our journey together began. He was leading the application security side, while I worked on the security team. I moved to AppsFlyer after a few years at LivePerson, and became the company’s first CISO, establishing the entire security program there.

Cider Security was born out of the frustration Daniel and I experienced in trying to implement security in the engineering ecosystem. We realized that the situation was a major dilemma for the industry and that the solutions being offered were overly specific, without taking a broader approach to the security challenges in the engineering ecosystem. That’s where Cider comes in, and we established a company to help security and engineering teams work together more seamlessly and bridge the gap to implement security as part of the engineering ecosystem.

Can you tell us a little bit about what you do? What are the main challenges you help navigate?

We are building a new operating system for the entire AppSec ecosystem. Essentially, Cider has created a unified platform that provides all the layers needed to monitor and fortify an engineering ecosystem. It begins with creating full visibility of what you initially receive from a developer, all the way to the production environment.

The security teams then utilize that visibility and asset inventory to start building all the security layers that are needed in the CI\CD pipeline. This holistic building process is something totally new to the world of AppSec. The ability to build these layers and security together, with higher accuracy in your environment, as well as the technology stack language framework that developers are utilizing, can alleviate the friction typically experienced in DevOps.

The engineering ecosystem is witnessing more frequent releases, more diverse technical stacks, and growing third-party usage. In addition, manual processes are being replaced by automation, and all these changes have major implications for security. A multitude of new risk categories and openings have been introduced and are consistently leveraged by adversaries, and the most advanced hackers are targeting engineering environments, systems, and processes.

These vulnerabilities came into full view with the infamous Solarwinds hack, the Codecov breach, and the Log4j vulnerability, for example. An AppSec OS that allows engineering teams to continue their fast pace is now a necessity for organizations to adapt to this new reality, without making any compromises on security.

In your opinion, which industries should be especially attentive when it comes to application security?

Today’s reality is that companies in all industries need to be attentive to application security. As the discipline of DevOps has gained traction in the engineering world, companies have been widely utilizing DevOps in-house, meaning that they need to mitigate and defend themselves.

Ultimately, any organization with in-house R&D teams needs to pay attention to application security.

Do you think recent global events have altered the ways in which threat actors operate?

There has been a tremendous amount of global turbulence, from the pandemic to wars and economic uncertainty. Adversaries have certainly taken notice, as evidenced by the SolarWinds attack or the Codecov breach. In these uncertain and unsettling times, people often tend to take their eyes off the ball, missing or even ignoring issues as they frantically try to adapt.

Thus, hackers and adversaries thrive in this environment. They utilize this chaos to their advantage and strike while the iron is hot, identifying and exploiting unaddressed vulnerabilities. For this reason, it is even more critical for those defending DevOps practices to remain steadfast in thwarting adversaries and to be prepared for an attack.

What security tools and practices should average individuals adopt to combat these new threats?

I don’t think I’ll say anything new, but for the individual, the first step should be to implement basic, tried-and-true measures, such as two-factor identification. This is an easy and effective first step in thwarting attackers from accessing personal information and accounts and provides a good base to avoid a lot of the threats out there today. This simple practice, which will also help keep security top of mind, is effective in reducing threats to a minimum.

Another best practice I would recommend is to remain vigilant of the emails coming into their inboxes. Avoid opening suspicious emails or emails from unknown senders and clicking on unknown links. Phishing attacks and scam emails or texts are common attack methods used to gain access and steal personal data, but they are also easily avoided. When in doubt, simply delete and ignore.

By doing even the bare minimum of security practices, individuals can significantly reduce attacks and lower the impact of potential threats.

What are the best practices companies should follow when developing and launching applications?

The first action companies should take is to understand their environment and gain clear visibility to all aspects of their day-to-day (such: as asset inventory of the corporate, development, and production environments) and then to adopt security guardrails, implementing controls to prevent deviations from expected behaviors. This allows, for example, developers and engineers to continue to operate at speed and deliver their code to production in the most efficient and secure way possible without having to slow down or involve security teams.

Companies should also look for the low-hanging fruits, implementing the very basics as a foundation to build on. This includes maintaining basic code hygiene in their development processes and talking about secrets and credentials and how best to manage them.

As with everything, they need to focus on mastering the basics first. This is the minimum barrier that companies should build when developing their processes. And of course, as a company scales up, so will its products and resources, and these processes and practices can be strengthened and extended.

Besides application security, what other best practices do you think every organization should follow to secure their operations?

Once again, I would refer to the basics, master the fundamentals, build a foundation, and expand on that as you grow. So, first and foremost, organizations need to take a clear asset inventory to ensure they understand what they have and what they are missing inside their environment – whether it's in the corporate environment, the development environment, or in the production environment. Develop a clear understanding of what you have, and then you can begin to build based on that.

Organizations should also find solutions that will consolidate the security aspects of the different processes into a single platform, rather than trying to implement many different solutions. Solutions that can consolidate areas you need will help to focus your efforts and reduce cost (time and money). Of course, there are areas that still require more than one solution, but it will help to cut down on the number of solutions that need to be managed. This is a very important concept.

And, on top of this, try to find and complete your program with as many automation solutions or capabilities as possible to make maintenance easier as well. This is highly connected to the fact that security teams will always face a shortage of defenders and resources to keep up with the pace of development teams. Automation and consolidation solutions will help to overcome these shortages and help organizations secure their operations.

What predictions do you have for the future of the DevOps discipline?

So, if we look back on everything that’s happened in the last four, or five years in DevOps, we will see this discipline continue to grow, and organizations will adopt more technologies, and more capabilities, to allow their engineering teams to move even faster. I think the fact that more and more companies, even traditional companies, are adopting the development processes will continue the growth we are seeing in this area.

Something else we are already seeing is that security is becoming a key element in the DevOps discipline. So I believe we’ll see that companies that are providing DevOps solutions, such as SCM solutions, CI solutions, or artifactory solutions, and so on, will have more and more security capabilities built into their offerings.

What does the future hold for Cider?

We are continuing to grow, continuing to accelerate our offering, and enrich all the areas that we are taking care of within the platform. We see ourselves as the operating system of the entire AppSec program for any company with development processes.

We want to lead the industry and use our rich industry experience and the talented team we’ve been able to build to continue building a solution that helps engineering and security teams to tackle the challenges that they face when trying to implement security in the engineering ecosystem.

Leave a Reply

Your email address will not be published. Required fields are marked