Looking for Greater Security Culture? Ask an 8-Bit Plumber

After 40 years of navigating catastrophes, video-game character Mario can help us with a more intelligent approach to DevOps and improving security culture.

Rick van Galen, Security Engineer, 1Password

April 22, 2021

5 Min Read
RoseStudio via Adobe Stock

Mario is a beloved Nintendo character — many of you will be familiar with his journey of smashing blocks, exploring pipes, and ripping a few laps on go-karts. Unfortunately, Mario's journey is often interrupted when a giant turtle monster, Bowser, inevitably infiltrates the nearby castle over and over again to wreak havoc, and it becomes Mario's job to set everything right.

It would be a stretch to imagine a better example of a terrible security culture.

As we reflect on the past 40 years of helping Mario fix one catastrophe after another, it's worth considering how his example can help us understand a more intelligent approach to DevOps security. Companies have the tools to improve their culture of security by enabling DevOps teams to build it into their foundation — and defeat the Bowsers of today.

Prioritize Extra Lives Over Speed Runs
Everyone loves a good speed run, and there is a certain satisfaction in recording a new personal best. However, a complete run is more than beating levels as quickly as possible; it's about stopping Bowser in the most efficient way possible. Obtaining that best time usually means eating up a lot of Mario's lives to learn the traps and obstacles of the levels, a luxury many companies can't afford.

That's not to say that speed isn't important in addressing security breaches. But going fast becomes a liability for DevOps teams if they fail to address all the potential issues. Now more than ever, speed has become the end-all be-all as we witness an explosion of apps due to the pandemic — putting tons of pressure on our DevOps teams. From an ethical hacker's perspective, going as fast as possible might keep hackers on their toes but that can also provide a false sense of security because important protective measures might fall through the cracks.

In the same way that speedrunning a video game certainly means a player will die repeatedly in an effort to cut seconds off their time, ignoring security issues in the name of speed can gum up the works in the long run. It's the end goal that matters, not short-term gains. If developers have security as their first goal and speed as their second, they will have less of a need to go back and fix any issues.

Make It Easy for Developers to Avoid Obstacles
Anyone playing Mario knows how important it is to memorize the enemies' moves and behaviors to progress through a level. Timing is everything when facing spring traps like the Thwomps, big walls that still manage to squish even a skilled player. For businesses, we have a good sense of hackers' tactics and need to work with DevOps to address those security concerns at every level of development.

Recognizing when you are vulnerable to a trap will get you through some challenges, but the most experienced developers plan for the traps ahead of time. DevOps team members with the deepest knowledge are always thinking about security, so they can create software without security becoming a stumbling block down the road.

Organizations should take steps to make security routine, from planning to testing to deployment. Embedding security into every phase of software development will help developers always keep security top of mind and prevent it from becoming an obstacle to trip up progress.

Keep an Eye on Your Processes
Every once in a while, Mario has to find his way through a haunted house in order to progress along the path to save the day. These are the hangouts of the infamous Boos, ghosts that if you don't look directly back at them and track their whereabouts could spell game over.

When Mario is facing the Boos, their ability to hurt him is drastically reduced. Similarly, when companies rely heavily on security and automation, developers must carefully watch and keep tabs on their processes or it can turn into a disaster.

To put this into perspective, Veracode's recent "State of Software Security" report found that when running static analysis (SAST) scans through an API, organizations can repair flaws 17.5 days faster on average. Results will vary per organization, but it's clear that monitoring your performance will pay out.

Taking account of fast-moving and automated processes is important to monitor performance and automatically alert when something goes wrong. Trackable data includes key events in the infrastructure and access logs. Building dashboards and an alerting system is an excellent way to keep your eye on everything and strengthen software development.

Provide Security Boosts and Development Opportunities
Mushrooms are the foundation of Mario's success. Most of the mushrooms in the game make him taller and stronger, but seeing a green extra life mushroom pop out of a smashed block is one of the most exciting moments in a Super Mario Bros. session.

Like any smart gamer, department leaders need to always be on the lookout for ways to provide their DevOps with powerups, as well to help motivate them. As companies build practices where security is second nature, they will be able to boost their teams through opportunities for career development.

These productive pauses will equip developers with skill sets based on the most updated practices and protocols, as well as knowledge or relevant regulatory policies.

After a lot of hard work, Mario always reaches the final castle and frees Princess Peach from captivity to the heinous Bowser. At least until the next security failure, and then he'll have to do it all over again.

Don't let your company security fall into the same traps as this 40-year-old legacy. By being cautious about running past security issues, removing obstacles whenever possible, keeping your eye on potential problems, and giving your DevOps opportunities to continue improving, you can achieve the security version of a personal best.

About the Author(s)

Rick van Galen

Security Engineer, 1Password

Rick van Galen is a security engineer at 1Password, the leader in providing private, secure and user-friendly password management to businesses and consumers globally. Based in Toronto, he spearheads the company's reputational and industry-leading security protocols. Rick is passionate about cybersecurity and has more than 10 years of experience as a technical security expert and ethical hacker, specializing in infrastructure, web technology, and mobile securities.

Prior to joining 1Password, Rick led and consulted on cybersecurity practices for multiple companies including his most recent position as information security officer for Onegini. Throughout the years, Rick has developed his technical skills in coding, performing security tests, product design, and development processes.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights