I have spent my career researching, troubleshooting, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security flaws, despite being in our orbit since the 90s, they continue to affect our software and cause major problems, although the (often simple) fix has been known for almost the same time. It really feels like Groundhog Day, where as an industry we seem to do the same thing over and over again and expect a different result.
There is another small problem, though. We do not receive realistic advice, nor the quickest solutions, to combat the relentless attack that is the modern landscape of threats. Of course, each offense is different in its own way and there are numerous attack vectors that can be exploited in vulnerable programs. Feasible generic advice will be limited, but the best practice approach seems more deficient for hours.
To that end, I have to wonder why much of the comments and analysis on cybersecurity have omitted solutions that really address the root cause of so many vulnerabilities: humans. The recent Gartner Hype Cycle for Application Security report and Forrester’s The State of Application Security 2021 report, both bibles for security experts that no doubt help shape your program and the adoption of potential products , are almost entirely focused on tools.
An Aberdeen report in 2017 showed the extent to which it became the average stack of security technology, as CISOs managed hundreds of products as part of their security strategies; four years later, we face more risks, more vulnerabilities, and more additions to the beasts of growing technology stack.
Security tools are essential, but we need to look more broadly and restore the balance of the security defense component.
Automation is the future. Why should we be concerned about the human element of cybersecurity?
Virtually everything in our lives is powered by software, and it is true that automation replaces the human elements that were once present in so many industries. It is a sign of progress in a warping world at warp speed, with hot topics of AI and machine learning that keep many organizations focused on the future.
So why, then, would a human-centered approach to cybersecurity be anything other than an outdated solution to a technologically advancing problem? The fact that billions of data records have been stolen over the past year, including Facebook’s most recent breach affecting more than half a million accounts, should indicate that we’re not doing enough (or taking the right approach) to take serious counterattack action against threatening actors.
The cybersecurity tool is a much needed component for cyber defense and tools will always have a place in it. Analysts have been absolutely forthcoming in recommending the latest tools in a risk mitigation approach for companies, and that will not change. However, with code quality (and, by definition, security) difficult to manage in code production volume, tools cannot do the job alone. So far, there is no tool that:
- Look for all vulnerabilities, in all languages: framework
- Scan at speed
- Minimize double manipulation caused by false positives and negatives
Tools can be slow, cumbersome and cumbersome. Above all, however, they only find problems: they do not solve them or recommend solutions. The latter needs security experts, thin on the ground and overworked, who go through the trash to find treasures in endless penetration tests and scan results.
The fact is that, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Nearly half of these are directly related to software vulnerabilities, many of which could be alleviated if there was greater adherence to secure coding and awareness in the early stages of SDLC. However, for this to happen, a sharper and more relevant approach to education for developers is essential, as well as making it intrinsic to their workflow.
Like it or not, humans are deeply rooted in the software development process and cybersecurity is an overwhelming human problem. Tools will not be able to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
What if we just built better tools (and many of them)?
Security tools are constantly improving. SAST / DAST / IAST tools have come a long way, improving speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secret managers, network and cloud security applications – all this without any problems.
Humans can always strive to create better tools, but innovation is not keeping up with the security and data protection needs of the digital world we live in. The tools, for the most part, are built with robots in mind. They could be there to help developers and security team scan, monitor, or protect code, but the interaction is very limited and few solutions aim to raise security awareness or improve basic skills that can lead to better safety results.
In fact, more than half of companies don’t even know if the tools work for them, nor do they trust that they can prevent a devastating data breach. This is a very deficient feeling and, in a tool-obsessed industry that has no support for a different approach, it tends to consolidate the status quo and problems.
How can an organization take advantage of a human-led approach to security?
There is no doubt that staying ahead of trends in application security technology is beneficial and can even help prioritize upgrades or consolidations in a stack of inflated technology. But giving up the root cause orientation of vulnerable software (us, simple humans), will keep us on the losing side of the cybersecurity battle front.
If we want to seriously reduce the number of code-level security vulnerabilities, developers need to have the foundation to succeed in security responsibility. They need relevant practical education, improvement in work and functional tools that do not affect their workflow or make safety a task to be developed. Ideally, some tools should be developer-centric, based on their user experience.
To date, there is no formal security certification program for developers, but all companies can benefit from comparisons and grow in secure coding skills, killing common vulnerabilities soon and often, and before the big stack of technology has to go into action and slow it all down.
A team of security-conscious developers is a hidden treasure for any organization, but like anything worthwhile, it will take time and effort to implement an effective dream team. Gaining developers to worry about security and see secure coding as the basis for code quality is a commitment to the entire organization to put security first. And when whole teams move on to the positive impact they can have by eliminating the usual vulnerabilities as the code is written, there is no tool on Earth that can compete.