Application Security
3/14/2017
10:30 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Industrial Revolution of Application Security

DevOps is driving big changes in the industry, but a cultural shift is needed.

The industrial revolution marks a significant time period in our history because it was one of the first "disruptions" that led to advances in productivity and innovation. The most important inventions were the machines that automated work done manually with human capital and various tools. It is responsible for the cotton gin, the steam engine, the telegraph, new chemical manufacturing and iron production processes, and the rise of the factory system.

There are many parallels to the industrial revolution in the technology sector, including the advent and growth of the Internet, the migration to cloud computing, and mobile devices as an endpoint. One of the main forces driving this technological revolution is the adoption of development and operations (DevOps) culture. DevOps is all about the collaboration and communication. Its core tenets are culture, automation, measurement, and sharing.

The first step is to break down the walls between teams, building a culture where individuals are encouraged to work with other teams and step outside the traditional channels of the waterfall model. Automation brings productivity gains, higher accuracy, and consistency. Measurement is crucial in DevOps for continuous improvement—data and results need to be readily available, transparent, and accessible to all. The fourth tenet—the sharing of best practices, discoveries, etc.—includes sharing both inside an organization between teams and departments but also with other organizations and companies from the community to best drive innovation.

Unfortunately, cybersecurity, specifically code and application security, hasn't kept pace with this rapid progress. Far too many solutions have been vertically focused on the how instead of horizontally focused on the why. Much like how the railroad provided the platform to support numerous aspects of the industrial revolution, there needs to be a convergence of disparate tools and human capital initiatives onto a common platform that seamlessly integrates code and application security analysis and vulnerability testing without requiring developer intervention. That assertion was validated for me by walking the floor at the RSA Conference in February. There are simply too many vendors using the same messaging relying on FUD (fear, uncertainty, and doubt).

Barriers to Success
Before the industrial revolution, there were several barriers to innovation and advancement. There is certainly a corollary to the current state of application security. The first barrier is the vast landscape of tools and point solutions, which all tend to be vertically focused on specific areas and capabilities. This presents a serious challenge of scaling out both human capital (security engineers) and complete coverage of code repositories and application catalogs effectively.

Another barrier is that the security team is typically not integrated into the software development life cycle. This leads to the security team having to be the gatekeeper to application update delivery, or acting as police after the delivery. These two barriers often lead to the creation of a contentious relationship between the DevOps and security operations (SecOps) teams, instead of the collaborative, sharing culture that is inherent to DevOps. Another barrier is the serious cybersecurity skills gap—the nonprofit Center for Cyber Safety and Education estimates there will be a shortage of 1.8 million information security workers by 2022. Without security talent, we can't expect to further our innovation and security resiliency.

Risk, to me, is a four-letter word. I believe that there is too much focus and emphasis on mitigating risk, which is primarily a defensive stance, versus "playing offense" and managing and monitoring risk as an "elastic asset." My contrarian view of application security is that we, as an industry, need to start playing offense in a continuous manner instead of passive defensive approaches performed on a weekly/monthly/quarterly/annual basis. For starters, we need to incorporate application scanning way earlier in the software development life cycle. Security can't be an afterthought. Attackers at all levels are scanning applications and infrastructure for the smallest vulnerability on a continuous basis so we need to act accordingly. If we hope to move the security and resiliency needle at all, we need to adopt the same automated and continuous approach.

I firmly believe that social and cultural changes—a key driver of the industrial revolution—will power the shift that needs to happen in the application security sector to positively disrupt our overall security resiliency, leading to an industrial revolution of application security. The "base of the stack" is the cultural change and mental shift to the culture of DevOps, which then drives the culture of DevSecOps.

Going forward, we collectively need to focus on the end game or the why rather than fixating on individual tools that address only some segments of the DevOps security challenge. The industrial revolution of application security is ours for the taking, and we're so close! We just need our common platform "railroad," widespread trust in the DevSecOps approach, and an eye on the prize (focusing on why not how). 

Related Content:

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.