<- All Blogs
Appsec

Continuous integration means continuously embedding security skills

Written by
Sean Wright
Published on
January 20, 2021

Continuous Integration, Continuous Delivery (often referred to as Continuous Integration, Continuous Deployment, or CICD) is a software engineering model that aids faster deployment of new features. In traditional methodologies (such as the Waterfall model) new software features were rolled out in large chunks on a periodic basis, meaning businesses were often slow to adapt to changes within their markets. One of the primary reasons firms have switched to new models like CICD is that it allows for more agility; they are able to adapt to these developments a lot quicker. This is extremely important in technology given the sector’s continual rapid changes.

On the other hand, traditional approaches to training across all kinds of technology teams haven’t shifted to match the models used for deployment. Often training is carried out as a one-off instance, and in many cases conducted as an annual mandatory awareness course – even certifications are essentially a snapshot of a specific point in time. Although important and of course beneficial, they often lay the foundation for further learning, which feels a lot like the traditional waterfall model. Training needs to shift to a more agile means; one that is easier to consume, more nimble, and able to adjust to changes in specific technology environments.

Traditional training methodologies become even more dated when the focus shifts to security. Not only is technology changing rapidly, but the attacks are too; malicious actors are always one step ahead by constantly evolving their strategies. Mix these new attacks with new technologies, and the need for continuous development and embedding of skills to stay up to date becomes even more apparent.

We’ve seen this happen in the real world time and time again. Cloud-based databases are often left wide open to the internet. Take the recent SolarWinds incident for example, of which there are certainly lessons to be learnt: attackers used never-before-seen techniques to help mask and cover up their tracks. It recently emerged that malware was used on the build server to help inject a malicious payload in a manner that helped it avoid detection. New malicious techniques like this are something security specialists need to remain vigilant about. It’s always wise to stay at least in step with the attackers, and ideally to start thinking about potential mitigation strategies to combat advanced, newfound threats, something that can only truly be accomplished by way of continuous, realistic experiences that help to build expertise.

Hands-on labs covering emerging threats help to equip security specialists

Time is another important factor to consider. As competition becomes more vigorous, the need to deliver faster results becomes more pressing. As a result, organizations will likely find their development and engineering teams particularly have less time to allocate to training – especially if it means taking a full week of their valuable time. Instead, smaller chunks of on-demand experiences means team members can decide what to train in and when to do so. Fitting into both individuals’ schedules and keeping content relevant to their job role should be the aim, with small, up to date modules one at a time, a fully equipped and agile team becomes much more achievable.

Labs for development and engineering teams should provide relevant, realistic security challenges

Immersive Labs allows employees across a range of teams and expertise to accomplish this form of continuous learning. Our bite-sized labs mean ready-made and hands-on skills content is always at the fingertips of employees, allowing them to keep up to date on the latest in security threats and trends in a manner that fits their schedule. Training, especially when it comes to security, can no longer be viewed as an annual occurrence. It needs to be exercised on a regular basis in order for companies to keep safe.

You can also see how this works in more detail in an on-demand webinar available here.

Sean Wright
Lead Application Security SME, Immersive Labs

Share this post