Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/22/2021
10:00 AM
Rick van Galen
Rick van Galen
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Looking for Greater Security Culture? Ask an 8-Bit Plumber

After 40 years of navigating catastrophes, video game character Mario can help us with a more intelligent approach to DevOps and improving security culture.

Mario is a beloved Nintendo character — many of you will be familiar with his journey of smashing blocks, exploring pipes, and ripping a few laps on go-karts. Unfortunately, Mario's journey is often interrupted when a giant turtle monster, Bowser, inevitably infiltrates the nearby castle over and over again to wreak havoc, and it becomes Mario's job to set everything right. 

It would be a stretch to imagine a better example of a terrible security culture.

Related Content:

How Do I Get Management to Buy into a SecDevOps Program?

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

As we reflect on the past 40 years of helping Mario fix one catastrophe after another, it's worth considering how his example can help us understand a more intelligent approach to DevOps security. Companies have the tools to improve their culture of security by enabling DevOps teams to build it into their foundation — and defeat the Bowsers of today. 

Prioritize Extra Lives Over Speed Runs
Everyone loves a good speed run, and there is a certain satisfaction in recording a new personal best. However, a complete run is more than beating levels as quickly as possible; it's about stopping Bowser in the most efficient way possible. Obtaining that best time usually means eating up a lot of Mario's lives to learn the traps and obstacles of the levels, a luxury many companies can't afford.

That's not to say that speed isn't important in addressing security breaches. But going fast becomes a liability for DevOps teams if they fail to address all the potential issues. Now more than ever, speed has become the end-all be-all as we witness an explosion of apps due to the pandemic — putting tons of pressure on our DevOps teams. From an ethical hacker's perspective, going as fast as possible might keep hackers on their toes but that can also provide a false sense of security because important protective measures might fall through the cracks. 

Credit: RoseStudio via Adobe Stock
Credit: RoseStudio via Adobe Stock

In the same way that speedrunning a video game certainly means a player will die repeatedly in an effort to cut seconds off their time, ignoring security issues in the name of speed can gum up the works in the long run. It's the end goal that matters, not short-term gains. If developers have security as their first goal and speed as their second, they will have less of a need to go back and fix any issues.

Make It Easy for Developers to Avoid Obstacles 
Anyone playing Mario knows how important it is to memorize the enemies' moves and behaviors to progress through a level. Timing is everything when facing spring traps like the Thwomps, big walls that still manage to squish even a skilled player. For businesses, we have a good sense of hackers' tactics and need to work with DevOps to address those security concerns at every level of development. 

Recognizing when you are vulnerable to a trap will get you through some challenges, but the most experienced developers plan for the traps ahead of time. DevOps team members with the deepest knowledge are always thinking about security, so they can create software without security becoming a stumbling block down the road.

Organizations should take steps to make security routine, from planning to testing to deployment. Embedding security into every phase of software development will help developers always keep security top of mind and prevent it from becoming an obstacle to trip up progress.

Keep an Eye on Your Processes
Every once in a while, Mario has to find his way through a haunted house in order to progress along the path to save the day. These are the hangouts of the infamous Boos, ghosts that if you don't look directly back at them and track their whereabouts could spell game over.

When Mario is facing the Boos, their ability to hurt him is drastically reduced. Similarly, when companies rely heavily on security and automation, developers must carefully watch and keep tabs on their processes or it can turn into a disaster. 

To put this into perspective, Veracode's recent "State of Software Security" report found that when running static analysis (SAST) scans through an API, organizations can repair flaws 17.5 days faster on average. Results will vary per organization, but it's clear that monitoring your performance will pay out.

Taking account of fast-moving and automated processes is important to monitor performance and automatically alert when something goes wrong. Trackable data includes key events in the infrastructure and access logs. Building dashboards and an alerting system is an excellent way to keep your eye on everything and strengthen software development. 

Provide Security Boosts and Development Opportunities
Mushrooms are the foundation of Mario's success. Most of the mushrooms in the game make him taller and stronger, but seeing a green extra life mushroom pop out of a smashed block is one of the most exciting moments in a Super Mario Bros. session. 

Like any smart gamer, department leaders need to always be on the lookout for ways to provide their DevOps with powerups, as well to help motivate them. As companies build practices where security is second nature, they will be able to boost their teams through opportunities for career development.

These productive pauses will equip developers with skill sets based on the most updated practices and protocols, as well as knowledge or relevant regulatory policies. 

After a lot of hard work, Mario always reaches the final castle and frees Princess Peach from captivity to the heinous Bowser. At least until the next security failure, and then he'll have to do it all over again. 

Don't let your company security fall into the same traps as this 40-year-old legacy. By being cautious about running past security issues, removing obstacles whenever possible, keeping your eye on potential problems, and giving your DevOps opportunities to continue improving, you can achieve the security version of a personal best.

Rick van Galen is a security engineer at 1Password, the leader in providing private, secure and user-friendly password management to businesses and consumers globally. Based in Toronto, he spearheads the company's reputational and industry-leading security protocols. Rick is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
BoomerVF14
50%
50%
BoomerVF14,
User Rank: Apprentice
4/29/2021 | 4:47:25 PM
Blocks? Pipes? Go-Karts?
My main man Mario started out by hammering barrels and saving damsels, kiddo.  Wish I'd invested all those quarters I gave him back in the 80s in Dogecoin.  Bet it was pretty cheap then.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.