The industrial revolution marks a significant time period in our history because it was one of the first "disruptions" that led to advances in productivity and innovation. The most important inventions were the machines that automated work done manually with human capital and various tools. It is responsible for the cotton gin, the steam engine, the telegraph, new chemical manufacturing and iron production processes, and the rise of the factory system.
There are many parallels to the industrial revolution in the technology sector, including the advent and growth of the Internet, the migration to cloud computing, and mobile devices as an endpoint. One of the main forces driving this technological revolution is the adoption of development and operations (DevOps) culture. DevOps is all about the collaboration and communication. Its core tenets are culture, automation, measurement, and sharing.
The first step is to break down the walls between teams, building a culture where individuals are encouraged to work with other teams and step outside the traditional channels of the waterfall model. Automation brings productivity gains, higher accuracy, and consistency. Measurement is crucial in DevOps for continuous improvement—data and results need to be readily available, transparent, and accessible to all. The fourth tenet—the sharing of best practices, discoveries, etc.—includes sharing both inside an organization between teams and departments but also with other organizations and companies from the community to best drive innovation.
Unfortunately, cybersecurity, specifically code and application security, hasn't kept pace with this rapid progress. Far too many solutions have been vertically focused on the how instead of horizontally focused on the why. Much like how the railroad provided the platform to support numerous aspects of the industrial revolution, there needs to be a convergence of disparate tools and human capital initiatives onto a common platform that seamlessly integrates code and application security analysis and vulnerability testing without requiring developer intervention. That assertion was validated for me by walking the floor at the RSA Conference in February. There are simply too many vendors using the same messaging relying on FUD (fear, uncertainty, and doubt).
Barriers to Success
Before the industrial revolution, there were several barriers to innovation and advancement. There is certainly a corollary to the current state of application security. The first barrier is the vast landscape of tools and point solutions, which all tend to be vertically focused on specific areas and capabilities. This presents a serious challenge of scaling out both human capital (security engineers) and complete coverage of code repositories and application catalogs effectively.
Another barrier is that the security team is typically not integrated into the software development life cycle. This leads to the security team having to be the gatekeeper to application update delivery, or acting as police after the delivery. These two barriers often lead to the creation of a contentious relationship between the DevOps and security operations (SecOps) teams, instead of the collaborative, sharing culture that is inherent to DevOps. Another barrier is the serious cybersecurity skills gap—the nonprofit Center for Cyber Safety and Education estimates there will be a shortage of 1.8 million information security workers by 2022. Without security talent, we can't expect to further our innovation and security resiliency.
Risk, to me, is a four-letter word. I believe that there is too much focus and emphasis on mitigating risk, which is primarily a defensive stance, versus "playing offense" and managing and monitoring risk as an "elastic asset." My contrarian view of application security is that we, as an industry, need to start playing offense in a continuous manner instead of passive defensive approaches performed on a weekly/monthly/quarterly/annual basis. For starters, we need to incorporate application scanning way earlier in the software development life cycle. Security can't be an afterthought. Attackers at all levels are scanning applications and infrastructure for the smallest vulnerability on a continuous basis so we need to act accordingly. If we hope to move the security and resiliency needle at all, we need to adopt the same automated and continuous approach.
I firmly believe that social and cultural changes—a key driver of the industrial revolution—will power the shift that needs to happen in the application security sector to positively disrupt our overall security resiliency, leading to an industrial revolution of application security. The "base of the stack" is the cultural change and mental shift to the culture of DevOps, which then drives the culture of DevSecOps.
Going forward, we collectively need to focus on the end game or the why rather than fixating on individual tools that address only some segments of the DevOps security challenge. The industrial revolution of application security is ours for the taking, and we're so close! We just need our common platform "railroad," widespread trust in the DevSecOps approach, and an eye on the prize (focusing on why not how).