Looking for Greater Security Culture? Ask an 8-Bit PlumberLooking for Greater Security Culture? Ask an 8-Bit Plumber
After 40 years of navigating catastrophes, video-game character Mario can help us with a more intelligent approach to DevOps and improving security culture.
April 22, 2021
Mario is a beloved Nintendo character — many of you will be familiar with his journey of smashing blocks, exploring pipes, and ripping a few laps on go-karts. Unfortunately, Mario's journey is often interrupted when a giant turtle monster, Bowser, inevitably infiltrates the nearby castle over and over again to wreak havoc, and it becomes Mario's job to set everything right.
It would be a stretch to imagine a better example of a terrible security culture.
As we reflect on the past 40 years of helping Mario fix one catastrophe after another, it's worth considering how his example can help us understand a more intelligent approach to DevOps security. Companies have the tools to improve their culture of security by enabling DevOps teams to build it into their foundation — and defeat the Bowsers of today.
Prioritize Extra Lives Over Speed Runs
Everyone loves a good speed run, and there is a certain satisfaction in recording a new personal best. However, a complete run is more than beating levels as quickly as possible; it's about stopping Bowser in the most efficient way possible. Obtaining that best time usually means eating up a lot of Mario's lives to learn the traps and obstacles of the levels, a luxury many companies can't afford.
That's not to say that speed isn't important in addressing security breaches. But going fast becomes a liability for DevOps teams if they fail to address all the potential issues. Now more than ever, speed has become the end-all be-all as we witness an explosion of apps due to the pandemic — putting tons of pressure on our DevOps teams. From an ethical hacker's perspective, going as fast as possible might keep hackers on their toes but that can also provide a false sense of security because important protective measures might fall through the cracks.
In the same way that speedrunning a video game certainly means a player will die repeatedly in an effort to cut seconds off their time, ignoring security issues in the name of speed can gum up the works in the long run. It's the end goal that matters, not short-term gains. If developers have security as their first goal and speed as their second, they will have less of a need to go back and fix any issues.
Make It Easy for Developers to Avoid Obstacles
Anyone playing Mario knows how important it is to memorize the enemies' moves and behaviors to progress through a level. Timing is everything when facing spring traps like the Thwomps, big walls that still manage to squish even a skilled player. For businesses, we have a good sense of hackers' tactics and need to work with DevOps to address those security concerns at every level of development.
Recognizing when you are vulnerable to a trap will get you through some challenges, but the most experienced developers plan for the traps ahead of time. DevOps team members with the deepest knowledge are always thinking about security, so they can create software without security becoming a stumbling block down the road.
Organizations should take steps to make security routine, from planning to testing to deployment. Embedding security into every phase of software development will help developers always keep security top of mind and prevent it from becoming an obstacle to trip up progress.
Keep an Eye on Your Processes
Every once in a while, Mario has to find his way through a haunted house in order to progress along the path to save the day. These are the hangouts of the infamous Boos, ghosts that if you don't look directly back at them and track their whereabouts could spell game over.
When Mario is facing the Boos, their ability to hurt him is drastically reduced. Similarly, when companies rely heavily on security and automation, developers must carefully watch and keep tabs on their processes or it can turn into a disaster.
To put this into perspective, Veracode's recent "State of Software Security" report found that when running static analysis (SAST) scans through an API, organizations can repair flaws 17.5 days faster on average. Results will vary per organization, but it's clear that monitoring your performance will pay out.
Taking account of fast-moving and automated processes is important to monitor performance and automatically alert when something goes wrong. Trackable data includes key events in the infrastructure and access logs. Building dashboards and an alerting system is an excellent way to keep your eye on everything and strengthen software development.
Provide Security Boosts and Development Opportunities
Mushrooms are the foundation of Mario's success. Most of the mushrooms in the game make him taller and stronger, but seeing a green extra life mushroom pop out of a smashed block is one of the most exciting moments in a Super Mario Bros. session.
Like any smart gamer, department leaders need to always be on the lookout for ways to provide their DevOps with powerups, as well to help motivate them. As companies build practices where security is second nature, they will be able to boost their teams through opportunities for career development.
These productive pauses will equip developers with skill sets based on the most updated practices and protocols, as well as knowledge or relevant regulatory policies.
After a lot of hard work, Mario always reaches the final castle and frees Princess Peach from captivity to the heinous Bowser. At least until the next security failure, and then he'll have to do it all over again.
Don't let your company security fall into the same traps as this 40-year-old legacy. By being cautious about running past security issues, removing obstacles whenever possible, keeping your eye on potential problems, and giving your DevOps opportunities to continue improving, you can achieve the security version of a personal best.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023