Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
4/22/2021
10:00 AM
Rick van Galen
Rick van Galen
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Looking for Greater Security Culture? Ask an 8-Bit Plumber

After 40 years of navigating catastrophes, video game character Mario can help us with a more intelligent approach to DevOps and improving security culture.

Mario is a beloved Nintendo character — many of you will be familiar with his journey of smashing blocks, exploring pipes, and ripping a few laps on go-karts. Unfortunately, Mario's journey is often interrupted when a giant turtle monster, Bowser, inevitably infiltrates the nearby castle over and over again to wreak havoc, and it becomes Mario's job to set everything right. 

It would be a stretch to imagine a better example of a terrible security culture.

Related Content:

How Do I Get Management to Buy into a SecDevOps Program?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

As we reflect on the past 40 years of helping Mario fix one catastrophe after another, it's worth considering how his example can help us understand a more intelligent approach to DevOps security. Companies have the tools to improve their culture of security by enabling DevOps teams to build it into their foundation — and defeat the Bowsers of today. 

Prioritize Extra Lives Over Speed Runs
Everyone loves a good speed run, and there is a certain satisfaction in recording a new personal best. However, a complete run is more than beating levels as quickly as possible; it's about stopping Bowser in the most efficient way possible. Obtaining that best time usually means eating up a lot of Mario's lives to learn the traps and obstacles of the levels, a luxury many companies can't afford.

That's not to say that speed isn't important in addressing security breaches. But going fast becomes a liability for DevOps teams if they fail to address all the potential issues. Now more than ever, speed has become the end-all be-all as we witness an explosion of apps due to the pandemic — putting tons of pressure on our DevOps teams. From an ethical hacker's perspective, going as fast as possible might keep hackers on their toes but that can also provide a false sense of security because important protective measures might fall through the cracks. 

Credit: RoseStudio via Adobe Stock
Credit: RoseStudio via Adobe Stock

In the same way that speedrunning a video game certainly means a player will die repeatedly in an effort to cut seconds off their time, ignoring security issues in the name of speed can gum up the works in the long run. It's the end goal that matters, not short-term gains. If developers have security as their first goal and speed as their second, they will have less of a need to go back and fix any issues.

Make It Easy for Developers to Avoid Obstacles 
Anyone playing Mario knows how important it is to memorize the enemies' moves and behaviors to progress through a level. Timing is everything when facing spring traps like the Thwomps, big walls that still manage to squish even a skilled player. For businesses, we have a good sense of hackers' tactics and need to work with DevOps to address those security concerns at every level of development. 

Recognizing when you are vulnerable to a trap will get you through some challenges, but the most experienced developers plan for the traps ahead of time. DevOps team members with the deepest knowledge are always thinking about security, so they can create software without security becoming a stumbling block down the road.

Organizations should take steps to make security routine, from planning to testing to deployment. Embedding security into every phase of software development will help developers always keep security top of mind and prevent it from becoming an obstacle to trip up progress.

Keep an Eye on Your Processes
Every once in a while, Mario has to find his way through a haunted house in order to progress along the path to save the day. These are the hangouts of the infamous Boos, ghosts that if you don't look directly back at them and track their whereabouts could spell game over.

When Mario is facing the Boos, their ability to hurt him is drastically reduced. Similarly, when companies rely heavily on security and automation, developers must carefully watch and keep tabs on their processes or it can turn into a disaster. 

To put this into perspective, Veracode's recent "State of Software Security" report found that when running static analysis (SAST) scans through an API, organizations can repair flaws 17.5 days faster on average. Results will vary per organization, but it's clear that monitoring your performance will pay out.

Taking account of fast-moving and automated processes is important to monitor performance and automatically alert when something goes wrong. Trackable data includes key events in the infrastructure and access logs. Building dashboards and an alerting system is an excellent way to keep your eye on everything and strengthen software development. 

Provide Security Boosts and Development Opportunities
Mushrooms are the foundation of Mario's success. Most of the mushrooms in the game make him taller and stronger, but seeing a green extra life mushroom pop out of a smashed block is one of the most exciting moments in a Super Mario Bros. session. 

Like any smart gamer, department leaders need to always be on the lookout for ways to provide their DevOps with powerups, as well to help motivate them. As companies build practices where security is second nature, they will be able to boost their teams through opportunities for career development.

These productive pauses will equip developers with skill sets based on the most updated practices and protocols, as well as knowledge or relevant regulatory policies. 

After a lot of hard work, Mario always reaches the final castle and frees Princess Peach from captivity to the heinous Bowser. At least until the next security failure, and then he'll have to do it all over again. 

Don't let your company security fall into the same traps as this 40-year-old legacy. By being cautious about running past security issues, removing obstacles whenever possible, keeping your eye on potential problems, and giving your DevOps opportunities to continue improving, you can achieve the security version of a personal best.

Rick van Galen is a security engineer at 1Password, the leader in providing private, secure and user-friendly password management to businesses and consumers globally. Based in Toronto, he spearheads the company's reputational and industry-leading security protocols. Rick is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BoomerVF14
BoomerVF14,
User Rank: Apprentice
4/29/2021 | 4:47:25 PM
Blocks? Pipes? Go-Karts?
My main man Mario started out by hammering barrels and saving damsels, kiddo.  Wish I'd invested all those quarters I gave him back in the 80s in Dogecoin.  Bet it was pretty cheap then.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...