DevSec For Scale Podcast – Cloud Security for Startups w/ Moshe Ferber, CSA Israel

In this episode of the “DevSec for Scale” podcast, Jeremy Hess welcomes Moshe Ferber, Chairman of the Cloud Security Alliance (CSA) Israel Chapter. They discuss the importance of implementing proper security measures in startups, particularly those selling to enterprises. Moshe emphasizes that without proper security tools, startups may face challenges in business success, as enterprises require robust security measures from their vendors.

Moshe provides an overview of the CSA Israel Chapter’s contributions, including hosting the CSA Innovation Conference during Israel’s Cyber Week and publishing the Cloud Security Guidelines for Startups. These guidelines are tailored to the different phases of a startup’s journey and help startups mature their security practices based on their growth and funding stages.

Moshe shares his background in information security, detailing his 22 years of experience in the field, including his work with large enterprises and startups. He highlights the shift to cloud services and how it has transformed the startup landscape, enabling startups to build resilient, enterprise-grade infrastructures from day one.

The discussion delves into application security, emphasizing the importance of integrating security measures throughout the software development lifecycle (SDLC) and the continuous integration and continuous deployment (CI/CD) pipeline. Moshe explains that traditional security practices, which involved manual testing and long deployment cycles, are no longer sufficient in the fast-paced cloud-native environment. Instead, automated security testing and integrating security early in the development process (shift-left) are crucial.

Moshe outlines the different security gates and testing methods that should be incorporated into a startup’s CI/CD pipeline, including:

1. **Software Composition Analysis (SCA):** Checking external open-source packages for vulnerabilities and ensuring their integrity.
2. **Static Analysis (SAST):** Analyzing the code for security vulnerabilities as the developer writes it, providing immediate feedback.
3. **Dynamic Analysis (DAST):** Conducting black-box testing on the deployed application to identify vulnerabilities through simulated attacks.
4. **Infrastructure as Code (IaC) Security:** Ensuring that deployment templates do not have security misconfigurations, such as open ports or exposed secrets.
5. **Secret Management:** Using dedicated services to securely store application secrets like API keys and access credentials.

He advises startups to start with open-source tools for initial security testing and gradually integrate more sophisticated solutions as they grow. Moshe also emphasizes the importance of managed services to save time and operational burden.

In conclusion, Moshe highlights the CSA’s ongoing efforts to update the Cloud Security Guidelines for Startups and invites contributors to join the initiative. He encourages listeners to attend Israel’s Cyber Week for insights into cloud security and innovations.

For practical tips, Moshe suggests:

1. Using open-source tools for initial security checks.
2. Paying extra attention to Kubernetes images to prevent breaches.
3. Implementing dynamic analysis for ongoing vulnerability assessment.
4. Carefully managing developer access to production environments to maintain security integrity
5. Leveraging managed services for monitoring and security testing to reduce operational overhead.

The episode provides valuable insights for startups looking to integrate robust security practices without disrupting their development cycles.