Declaring War on Surface Area Sprawl
SecurityTrails got a big gut check at the beginning of last week. One of our Elasticsearch servers was unintentionally left open when an engineer was trying to fix an outage. This caused a series of self inflicted drama.
We notified clients and wrote a comprehensive technical blog post almost immediately. The response from clients and the security community as a whole was positive and encouraging, with the occasional well-deserved eye roll on Twitter.
This brings us to where we are today. To help better understand where we stand, what we’ve learned and what we plan to do to be better in the future, SecurityTrails co-founders Chris Ueland and Courtney Couch share their thoughts.
From the founders
“This isn’t a small thing to us.
I feel a huge sense of responsibility to solve this issue for every company including our own. I am crazy passionate about solving this problem and have spent every day for the past 3 years of my life thinking about it.
We had this issue even though we know the risks, heck – we have 230+ blog posts surrounding the topic educating others. We try to do all the right things. We recruit people that are passionate about solving this problem and others that have the best possible supporting skills to solve it.
Furthermore, the issue happened from one mouse click not being made. Is it the engineer’s fault? Of course. But why? Why in a security company with smart people who know the risks can this still happen in 2020?
There’s only one answer I can think of – the visibility and tools aren’t where they need to be.
We are getting back to our roots. The reason we started this company was to ‘make sure you aren’t blindsighted by an attack you could have prevented.’ This situation has doubled my personal resolve to solve this problem.”
“This last week has reminded me exactly why we decided to build this company. It’s made the pain and embarrassment we hope to end painfully close.
Every day there are more and more great services and tools to help people solve their domain problems, but embracing these cutting edge tools and services is a double edged sword. On one hand you have the enhanced capabilities these tools give us, and on the other hand you have the increased surface area that comes with adding another tool to your tool belt.
In the end, we often take a conservative approach to utilizing new services because in all reality – the real risk isn’t what we know and do wrong, it’s what we don’t know and inadvertently do wrong. That worry about not knowing what it is that you don’t know has an impact on our ability and confidence to quickly develop.
Engineering teams should be able to quickly assess their overall exposure and understand how their exposure changes as they adopt new tools. If the tools were available and easy to access, we could all afford to take more risks and move quicker, spending more time on solutions and less time on being paranoid about what we missed.
It’s our belief that entrepreneurs should be focused on making their vision a reality and not distracted by a fear that a couple of wrong clicks could make all their best practices for nothing. It’s this belief, and this passion that drove us to start building SecurityTrails, and our embarrassing lapse last week only reinforced that we must complete our mission.”
Our commitment to you in the future is to learn from this experience and help others to overcome this unfortunately common problem.
We will solve this
We will do everything in our power to solve the problem of unintended attack surface sprawl from technical debt, acquisitions or mistakes.
We will provide a wide distribution
We will get tools that provide visibility in the hands of as many people as humanly possible and give teams the knowledge they need to embrace cutting edge tools.
We will make exposure from an oversight something that can be universally available
We never want anyone to feel the way we do due to an infrastructure mistake– embarrassed and disappointed. We will make understanding your surface area in a complex cloud based world the standard not the exception.
We will empower others
We will enable engineering teams to confidently assess their infrastructure. We will make the peace of mind to founders that come with these tools to forge a path ahead with a full understanding of the risks without distraction and anxiety about what they don’t know.
We will provide support to the community at large
Anyone who is working to help companies solve this problem will have support from us. We don’t care if they are a “competitor,” a bug bounty hunter, open source contributor – if you’re working to solve this problem you’re our ally and we will provide material support for you.
We are declaring war on this problem and we are dedicated to putting an end to it. Stay tuned.
Source of Article