Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/14/2017
10:30 AM
Mike D. Kail
Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Industrial Revolution of Application Security

DevOps is driving big changes in the industry, but a cultural shift is needed.

The industrial revolution marks a significant time period in our history because it was one of the first "disruptions" that led to advances in productivity and innovation. The most important inventions were the machines that automated work done manually with human capital and various tools. It is responsible for the cotton gin, the steam engine, the telegraph, new chemical manufacturing and iron production processes, and the rise of the factory system.

There are many parallels to the industrial revolution in the technology sector, including the advent and growth of the Internet, the migration to cloud computing, and mobile devices as an endpoint. One of the main forces driving this technological revolution is the adoption of development and operations (DevOps) culture. DevOps is all about the collaboration and communication. Its core tenets are culture, automation, measurement, and sharing.

The first step is to break down the walls between teams, building a culture where individuals are encouraged to work with other teams and step outside the traditional channels of the waterfall model. Automation brings productivity gains, higher accuracy, and consistency. Measurement is crucial in DevOps for continuous improvement—data and results need to be readily available, transparent, and accessible to all. The fourth tenet—the sharing of best practices, discoveries, etc.—includes sharing both inside an organization between teams and departments but also with other organizations and companies from the community to best drive innovation.

Unfortunately, cybersecurity, specifically code and application security, hasn't kept pace with this rapid progress. Far too many solutions have been vertically focused on the how instead of horizontally focused on the why. Much like how the railroad provided the platform to support numerous aspects of the industrial revolution, there needs to be a convergence of disparate tools and human capital initiatives onto a common platform that seamlessly integrates code and application security analysis and vulnerability testing without requiring developer intervention. That assertion was validated for me by walking the floor at the RSA Conference in February. There are simply too many vendors using the same messaging relying on FUD (fear, uncertainty, and doubt).

Barriers to Success
Before the industrial revolution, there were several barriers to innovation and advancement. There is certainly a corollary to the current state of application security. The first barrier is the vast landscape of tools and point solutions, which all tend to be vertically focused on specific areas and capabilities. This presents a serious challenge of scaling out both human capital (security engineers) and complete coverage of code repositories and application catalogs effectively.

Another barrier is that the security team is typically not integrated into the software development life cycle. This leads to the security team having to be the gatekeeper to application update delivery, or acting as police after the delivery. These two barriers often lead to the creation of a contentious relationship between the DevOps and security operations (SecOps) teams, instead of the collaborative, sharing culture that is inherent to DevOps. Another barrier is the serious cybersecurity skills gap—the nonprofit Center for Cyber Safety and Education estimates there will be a shortage of 1.8 million information security workers by 2022. Without security talent, we can't expect to further our innovation and security resiliency.

Risk, to me, is a four-letter word. I believe that there is too much focus and emphasis on mitigating risk, which is primarily a defensive stance, versus "playing offense" and managing and monitoring risk as an "elastic asset." My contrarian view of application security is that we, as an industry, need to start playing offense in a continuous manner instead of passive defensive approaches performed on a weekly/monthly/quarterly/annual basis. For starters, we need to incorporate application scanning way earlier in the software development life cycle. Security can't be an afterthought. Attackers at all levels are scanning applications and infrastructure for the smallest vulnerability on a continuous basis so we need to act accordingly. If we hope to move the security and resiliency needle at all, we need to adopt the same automated and continuous approach.

I firmly believe that social and cultural changes—a key driver of the industrial revolution—will power the shift that needs to happen in the application security sector to positively disrupt our overall security resiliency, leading to an industrial revolution of application security. The "base of the stack" is the cultural change and mental shift to the culture of DevOps, which then drives the culture of DevSecOps.

Going forward, we collectively need to focus on the end game or the why rather than fixating on individual tools that address only some segments of the DevOps security challenge. The industrial revolution of application security is ours for the taking, and we're so close! We just need our common platform "railroad," widespread trust in the DevSecOps approach, and an eye on the prize (focusing on why not how). 

Related Content:

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo's chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...