‘Development and security teams shouldn’t be at odds with each other’

29 Jul 2022

Reuven Harrison. Image: Tufin

Tufin’s CTO talks about the dangers of an ‘us versus them’ attitude between developers and security teams.

Reuven Harrison is the chief technology officer and co-founder of Tufin, a security policy management company specialising in the automation of security policy changes across hybrid platforms.

Earlier this year, it was announced that Tufin would be acquired by software-focused investment firm Turn/River Capital, in an all-cash transaction valuing Tufin at approximately $570m.

In his role, Harrison is responsible for the company’s future vision and product innovation. “Ultimately, I keep an eye on industry trends and listen to the feedback our customers have about their biggest pain points, and my team and I develop solutions to meet those challenges,” he told SiliconRepublic.com

“I have a particular interest in developing solutions for security and development teams to work together in a way that will ensure a robust security posture while increasing agility.”

‘Security teams still need to be part of the development process’

What are some of the biggest challenges you’re facing in the current IT landscape?

One of the biggest challenges I’m seeing is the myth that security is the weak link in the DevOps chain and how that misconception presents itself within security and development teams – often to the detriment of both teams and, as such, their organisations.

Development teams often feel hindered by security teams, viewing them as a blocker that slows down the agile development practices required of today’s large enterprises.

At the same time, circumventing security isn’t the answer. Like it or not, security teams still need to be part of the development process.

Right now, most businesses believe that they only have two choices: secure but slow, or agile but risky. But this is simply not true.

Development and security teams don’t need to be at odds with each other. In fact, when these two teams come together, true digital transformation happens.

What are your thoughts on digital transformation?

As a software company we rely on substantial compute and storage. Some of this is still on-premises for cost and security reasons, but we have also been using increasingly more services in the cloud for scalability and advanced services. Our SaaS solutions, for example, are developed and deployed on Google Cloud.

How can sustainability be addressed from an IT perspective?

One approach, which we were forced into during Covid-19, was substituting travel by video meetings. This of course reduces our carbon footprint significantly. While this approach works to a certain degree, there comes a moment where a face-to-face meeting yields better results.

For example, meeting with customers to get their feedback and understand their business problem is much more effective when done on-site and face-to-face.

Another example is team meetings. Currently we have a two-day-in-the-office policy, which seems to be a good balance, but some objectives require greater frequency, for example teams that are innovating rapidly.

What big tech trends do you believe are changing the world?

As enterprises embrace the cloud as their main compute platform, new attack vectors are being exposed and targeted by cyber criminals.

While it is normal for security controls to follow new technologies – and we are already seeing organisations close this gap using security groups, cloud firewalls, proxies and other security controls – there is an additional and unique factor in this case which amplifies the risk: the gap between traditional security teams and cloud dev teams who are operating the cloud.

This gap consists of different tools, processes and business objectives between security teams and dev teams. As a result, developers are unintentionally exposing the organisation and its customers though cloud misconfigurations which may lead to data breaches, service interruptions and ransom demands.

How can we address the security challenges currently facing your industry?

As a software company we are putting more and more security checks into our development processes. This is critical to address the frequent vulnerabilities which are emerging these days and to ensure that our security product doesn’t become part of the attack surface itself, which is what happened to SolarWinds.

We perform regular penetration tests and static analysis testing, and we have strict guidelines for input validation on all APIs. We also have service-level agreements for fixing vulnerabilities which are relative to their severity.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.