We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
A version of this article appeared in Help Net Security. It has been updated and syndicated here.
I have spent my career finding, fixing, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security bugs, despite being in our orbit since the 90s, they continue to plague our software and cause major problems, even though the (often simple) fix has been known for almost the same length of time. It truly feels like Groundhog Day, where we as an industry seem to do the same thing over and over and expect a different result.
There’s another little problem, however. We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
To this end, I do have to wonder why so much of the commentary and analysis around cybersecurity has omitted solutions that truly address the root cause of so many vulnerabilities: humans. Gartner’s most recent Hype Cycle for Application Security, and Forrester’s The State of Application Security 2021, both bibles for security experts that undoubtedly help to shape their program and potential product adoption, are almost entirely tools-focused. A report by Aberdeen back in 2017 showed just how unruly the average security tech stack had become, with CISOs managing hundreds of products as part of their security strategies; four years later, we’re grappling with more risk, more vulnerabilities, and more additions to growing tech stack beasts.
Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.
Virtually everything in our lives is powered by software, and it’s true that automation is replacing the human elements that were once present in so many industries. It’s a sign of progress in a world digitizing at warp speed, with AI and machine learning hot topics keeping many organizations future-focused.
So, why, then, would a human-focused approach to cybersecurity be anything other than an antiquated solution to a technologically advancing problem? The fact that billions of data records have been stolen in breaches in the past year, including the most recent Facebook breach affecting over half a billion accounts, should indicate that we’re not doing enough (or taking the right approach) to make a serious counter-punch to threat actors.
Cybersecurity tooling is a much-needed component of cyber defense, and tools will always have a place. Analysts have been absolutely on point in recommending the latest tools in a risk mitigation approach for enterprises, and that will not change. However, with code quality (and, by definition, security) difficult to manage at the volume of code production, tools cannot do the job alone. To date, there is no single tool that will:
Tools can be slow, cumbersome, and unwieldy. Above all, however, they only find problems - they don’t fix them, or recommend solutions. The latter requires security experts, who are thin on the ground and overworked, wading through the trash to find treasure in endless pentesting and scanning results.
The fact is, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Almost half of those directly relate to software vulnerabilities, many of which could be alleviated if there was stronger adherence to secure coding and awareness in the early stages of the SDLC. However, for this to happen, a sharper and more relevant focus on education for developers - in addition to making it intrinsic to their workflow - is key.
Whether we like it or not, humans are deeply ingrained in the software development process, and cybersecurity is overwhelmingly a human problem. Tools won’t be a catch-all to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
Security tooling is improving all the time. SAST/DAST/IAST tools have come a long way, improving in speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secrets managers, cloud and network security applications: all no-brainers.
Humans can always strive to make better tools, but the innovation is not keeping up with the security and data protection needs of the digital world we live in. Tools are, for the most part, built with robots in mind. They might be there to assist developers and the security team in scanning, monitoring, or protecting code, but interaction is very limited, and very few solutions aim to elevate security awareness or improve core skills that can lead to better security outcomes.
In fact, more than half of enterprises don’t even know if the tools are working for them, nor are they confident that they could avoid a devastating data breach. That’s a very poor sentiment, and in a tools-obsessed industry lacking support for a different approach, tends to solidify the status quo and the problems within.
There is no question that staying ahead of the trends in application security technology is beneficial, and can even help prioritize upgrades or consolidations in a bloated tech stack, but to forgo targeting the root cause of vulnerable software - we mere humans - is going to keep us on the losing side of the cybersecurity battlefront.
If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security. They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind.
To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security, and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.