Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
10:00 AM
Rick van Galen
Rick van Galen
Connect Directly
E-Mail vvv

Looking for Greater Security Culture? Ask an 8-Bit Plumber

After 40 years of navigating catastrophes, video game character Mario can help us with a more intelligent approach to DevOps and improving security culture.

Mario is a beloved Nintendo character — many of you will be familiar with his journey of smashing blocks, exploring pipes, and ripping a few laps on go-karts. Unfortunately, Mario's journey is often interrupted when a giant turtle monster, Bowser, inevitably infiltrates the nearby castle over and over again to wreak havoc, and it becomes Mario's job to set everything right. 

It would be a stretch to imagine a better example of a terrible security culture.

Related Content:

How Do I Get Management to Buy into a SecDevOps Program?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

As we reflect on the past 40 years of helping Mario fix one catastrophe after another, it's worth considering how his example can help us understand a more intelligent approach to DevOps security. Companies have the tools to improve their culture of security by enabling DevOps teams to build it into their foundation — and defeat the Bowsers of today. 

Prioritize Extra Lives Over Speed Runs
Everyone loves a good speed run, and there is a certain satisfaction in recording a new personal best. However, a complete run is more than beating levels as quickly as possible; it's about stopping Bowser in the most efficient way possible. Obtaining that best time usually means eating up a lot of Mario's lives to learn the traps and obstacles of the levels, a luxury many companies can't afford.

That's not to say that speed isn't important in addressing security breaches. But going fast becomes a liability for DevOps teams if they fail to address all the potential issues. Now more than ever, speed has become the end-all be-all as we witness an explosion of apps due to the pandemic — putting tons of pressure on our DevOps teams. From an ethical hacker's perspective, going as fast as possible might keep hackers on their toes but that can also provide a false sense of security because important protective measures might fall through the cracks. 

Credit: RoseStudio via Adobe Stock
Credit: RoseStudio via Adobe Stock

In the same way that speedrunning a video game certainly means a player will die repeatedly in an effort to cut seconds off their time, ignoring security issues in the name of speed can gum up the works in the long run. It's the end goal that matters, not short-term gains. If developers have security as their first goal and speed as their second, they will have less of a need to go back and fix any issues.

Make It Easy for Developers to Avoid Obstacles 
Anyone playing Mario knows how important it is to memorize the enemies' moves and behaviors to progress through a level. Timing is everything when facing spring traps like the Thwomps, big walls that still manage to squish even a skilled player. For businesses, we have a good sense of hackers' tactics and need to work with DevOps to address those security concerns at every level of development. 

Recognizing when you are vulnerable to a trap will get you through some challenges, but the most experienced developers plan for the traps ahead of time. DevOps team members with the deepest knowledge are always thinking about security, so they can create software without security becoming a stumbling block down the road.

Organizations should take steps to make security routine, from planning to testing to deployment. Embedding security into every phase of software development will help developers always keep security top of mind and prevent it from becoming an obstacle to trip up progress.

Keep an Eye on Your Processes
Every once in a while, Mario has to find his way through a haunted house in order to progress along the path to save the day. These are the hangouts of the infamous Boos, ghosts that if you don't look directly back at them and track their whereabouts could spell game over.

When Mario is facing the Boos, their ability to hurt him is drastically reduced. Similarly, when companies rely heavily on security and automation, developers must carefully watch and keep tabs on their processes or it can turn into a disaster. 

To put this into perspective, Veracode's recent "State of Software Security" report found that when running static analysis (SAST) scans through an API, organizations can repair flaws 17.5 days faster on average. Results will vary per organization, but it's clear that monitoring your performance will pay out.

Taking account of fast-moving and automated processes is important to monitor performance and automatically alert when something goes wrong. Trackable data includes key events in the infrastructure and access logs. Building dashboards and an alerting system is an excellent way to keep your eye on everything and strengthen software development. 

Provide Security Boosts and Development Opportunities
Mushrooms are the foundation of Mario's success. Most of the mushrooms in the game make him taller and stronger, but seeing a green extra life mushroom pop out of a smashed block is one of the most exciting moments in a Super Mario Bros. session. 

Like any smart gamer, department leaders need to always be on the lookout for ways to provide their DevOps with powerups, as well to help motivate them. As companies build practices where security is second nature, they will be able to boost their teams through opportunities for career development.

These productive pauses will equip developers with skill sets based on the most updated practices and protocols, as well as knowledge or relevant regulatory policies. 

After a lot of hard work, Mario always reaches the final castle and frees Princess Peach from captivity to the heinous Bowser. At least until the next security failure, and then he'll have to do it all over again. 

Don't let your company security fall into the same traps as this 40-year-old legacy. By being cautious about running past security issues, removing obstacles whenever possible, keeping your eye on potential problems, and giving your DevOps opportunities to continue improving, you can achieve the security version of a personal best.

Rick van Galen is a security engineer at 1Password, the leader in providing private, secure and user-friendly password management to businesses and consumers globally. Based in Toronto, he spearheads the company's reputational and industry-leading security protocols. Rick is ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2021 | 4:47:25 PM
Blocks? Pipes? Go-Karts?
My main man Mario started out by hammering barrels and saving damsels, kiddo.  Wish I'd invested all those quarters I gave him back in the 80s in Dogecoin.  Bet it was pretty cheap then.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file