If you are using our platform then you’re already benefiting from an advanced Product Security program, cloud security specialists, and a dedicated Detection and Response team monitoring 24/7.
Auth0 is a platform that helps application builders innovate faster. This means reducing the complexity of building identity into your applications, helping you move as quickly and securely as possible. But, identity is not simple; implementing the security protocols themselves is complex and there is inherent messiness in web security. This is why Auth0 has put in place a world-class security program to also make that easy for our customers.
I wanted to share more about how we run our program and what’s going on behind the scenes to protect all our customers. It’s something I started to talk about last year in an interview with Guy Podjarny on the Secure Developer podcast and it’s something I will be talking about more this year.
"There is no blueprint for success when it comes to building a security team, but in this post, @Auth0’s Sr. Director of Security + Compliance Duncan Godfrey shares the steps we’ve taken at Auth0 to create a world-class security program to protect the world’s identities."
There is no blueprint for success when building a Security Team. You will find different corporate structures and different structures to the engineering and operational teams. The teams grow organically, as you iterate on the makeup of their skills and their responsibilities all tied to the risks specific to your business. Within the Security community, we collaborate and compare notes with your peers in the industry, and that’s what I see. Leaders have optimized in different areas depending on their risks.
What Is the Mission of Our Security Team?
Why does the Security Team exist? Trust is foundational to our success, and it's the Security team’s mission to build and maintain trust with our customers — and our customers’ customers and partners. As an IDaaS platform, we recognize that our solution is a building block for trust. We should never be a threat vector for our customers. This complicates the execution of a Security Program but in a way that attracts talented engineers who want to be part of a company that is at the center of the identity ecosystem.
With a Million Different Priorities, How Do You Know Where to Focus?
Security is no different from any other successful business unit, you ruthlessly prioritize your resources to push towards your goals. Governance, risk, and compliance have been a peer to Security Engineering and helps us drive our focus and requirements. Both teams report to the CISO meaning they are not auditing our controls after the fact, they are part of the conversation.
The underpinning of any good security program is risk management. During our first ISO 27001 audit, we solidified this as a process and it’s something I have enjoyed reworking and improving. Whatever methodology you choose (e.g. NIST, FAIR) having a realistic order of risk linked backed to all your information assets helps you prioritize and communicate with the rest of the business. And, using this we can prioritize investment in our controls.
Auth0 sells a security product, engineers here are building security at a security company. Something that has been different at Auth0 is that our most critical assets are actually our business process, our logic, our API the mechanisms that we provide to our customers more so than directly our data (not that isn’t also a critical asset).
We’ve always done things a little differently which adds some more interesting variables to our Enterprise, Auth0 is cloud-native in both our production infrastructure and our office apps; we are remote and we have and are growing very quickly.
"Security is no different from any other successful business unit, you ruthlessly prioritize your resources to push towards your goals,” says @Auth0’s Sr. Director of Security + Compliance Duncan Godfrey. In this post, he shares how he makes his choices."
As well as our individual company risks our customers themselves have demanding high-security requirements. This all drives our investment in security, the development of our teams, and the rigorous compliance regime we put ourselves through.
There are different models for defining the varied focus of Security Engineering teams. I have always liked "Builders, breakers, and defenders". There has also been some standardization on using colors to communicate focus or capability (with the strongest associations being with defensive (blue) and offensive (red)). What you will see as I discuss the different teams we have tended to focus on defense but that is already starting to change.
The structure we have currently for the security engineering teams are:
- Product Security
- Cloud Security
- Detection and Response
- Security Awareness
Product Security Team
Our Product Security team is a cross-functional Application and Product security team containing engineers who like building and breaking software. Product Security can mean different things to different security professionals for us it is supporting the product development lifecycle.
Primarily the charter of these team has been:
- Developing a mature frictionless secure development lifecycle (SDL or SDLC).
- Building tools to automate security in our CI/CD pipeline and developing libraries to wrap core security functions safely for developers and the building side (owning and developing libraries for specific security-focused operations of the product).
- Vulnerability Management
- Security Awareness and Training
It’s multidisciplinary as these functions can require different but overlapping skill sets. Supporting an SDL requires people who can run threat modeling exercises and work with developers to architect good security controls in response to the risk. Building tools and libraries require a Software Development Engineer (SDE) who can release and manage production code. We build a specialist product whose mission is to simplify that complexity for our customers. So within this team are experts in Identity protocols and how to abuse them.
Successfully handling vulnerabilities is a core capability for a security team, to protect the company from the impact of their exploitation. Making sure that once something is identified clearly communicated to the engineering teams and tracked to remediation. Day-to-day this means working with internal engineering teams and external researchers and third party penetration companies.
One of the things you may notice is that we have invested a lot in our supportive functions (e.g. SDL and VM). One of the changes that are already upon us is that we are now growing our breaking side, the team is becoming more involved in specific offensive security testing and red teaming.
Cloud Security Team
Auth0 is cloud-native and we have built our product predominately on Amazon Web Services. AWS is a complicated product with a wide surface area, it offers developers a lot of freedom to build but it also offers a lot of opportunities to create an unnecessary attack surface. You need specialists in your Security team who understand building secure infrastructure in the Cloud and who can keep up with the high rate of change. This is where the Cloud Security team comes in, they secure our cloud infrastructure.
This team grew out of a need to harden and secure access to an ever-growing number of AWS accounts. And, along with this, the founding charter was to ensure that we’re collecting data from every possible nook and cranny of AWS, pulling it in for analysis. Security monitoring has always been a foundation security building block for me and I have put a lot of emphasis on monitoring, security monitoring, gathering logs, and making sure we have a good audit trail for everything that we do.
One of the advantages but also potential pitfalls of the cloud is how your workloads are now spread widely and dynamically. Making sure you are tracking assets is now similar to a big data problem and this team provides services to monitor these without slowing anyone down. Creating graphs from our non-standard networks and providing enriched data for analysis.
When people typically think of security engineers, they think of people who run firewalls or they do the configuration on routers and things like that. But really, that’s not how you can operate in a Cloud environment anymore, and that’s not how you can operate. In theory, everyone’s writing software, so it’s security software engineers building security services with some more infrastructure ops people now mixed into the team to help them scale those services too.
As the team has grown they have also been able to build tools for developers to be able to access and deploy safely to the Cloud too. Building tooling to provide ephemeral access was a huge win here, with scoped short-lived access credentials becoming the norm in our environment.
Detection and Response
The Detection and Response (DR) team’s charter is a threat detection and incident response (IR). This team is our insurance policy, they are the cool heads in a crisis. They’re trained incident responders who can deal with tough issues, collaboratively troubleshoot and problem solve. It’s also at the core of what the Security team does for the business which has come more into focus during our pandemic planning.
As a company grows an IR team is something you can afford to invest in. it’s not that you won’t have to deal with incidents before you have a dedicated team, but until you reach that point it’s likely a shared responsibility within the security team. This means that getting to the point of having specialists is also a major release of pressure for the security org - especially for folks who are not naturally drawn to the adrenaline rush of IR.
We have taken a hybrid approach while building our Security Operation Center(SOC). We use an MSSP to enable us to guarantee 24/7 eyes on glass coverage and first-line triage. With our partner, supporting us with some of the easier operation work enabled us to take a modern approach to build a DR team. This means hiring Engineers who have both the technical skills to build detections and automation, while also having the people skills to run an incident. Which, is a skill set that is very in demand in the security market.
Everyday human mistakes are still the most common path to compromise. This why an effective Security Culture program is such a critical component of a successful security program. We invested in this early on and have a dedicated resource crafting training to fit our companies culture.
It’s something that is often unestimated and underinvested in; with the classic tick box mandated annual Security Awareness Training is an example of something that is often very generic but is actually a great opportunity to grab the attention of everyone at your company, in one go. If you affect even only a percentage of those people it’s a huge security win. The feedback we got last year justified the investment and hopefully won us some fans. Beyond this, we have expanded to improve onboarding training, building-specific developer-focused secure code training, and anti-phishing training.
Modern Cybersecurity is a Complex Operation
Good security is a process and it’s something that you build towards. You mature your operations and process driving towards continually raising your bar and reducing risk. When you are using our Product you now have the Auth0 Security team protecting your identity 24/7.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.