Scribbler Logo

    You have 4 summaries left

    Application Security Weekly (Audio)

    Software Trust & Adversaries, Developer-Focused Security - Shannon Lietz, Melinda Marks - ASW #246

    Tue Jul 11 2023
    Software TrustMetricsResilienceSecurityCollaborationCloud Native App-SecVendor Selection

    Description

    This episode covers a wide range of topics related to software trust, metrics, resilience, security, and collaboration between developers and security teams. It explores the challenges faced by organizations in measuring trust in software and highlights the importance of metrics such as resilience, adoption, velocity, and error rates. The episode also delves into the role of security teams in shifting left and working closely with developers to ensure better security outcomes. Additionally, it discusses the unique considerations and challenges in Cloud Native app-sec and offers insights on cloud security programs and vendor selection.

    Insights

    Metrics are crucial for measuring trust in software

    The episode emphasizes the need for meaningful metrics that go beyond adoption rates to measure trust in software. Resilience, adoption, velocity, and error rates are identified as key pillars for trust.

    Collaboration between security teams and developers is essential

    The episode highlights the importance of collaboration and understanding between security teams and developers. It emphasizes the need for better tools that integrate into developers' workflows and provide confidence in security.

    Shifting security left empowers developers

    The episode discusses the concept of shifting security left, giving developers security responsibilities while providing visibility and control for the security team. This approach enables developers to take on more responsibilities for better security outcomes.

    Cloud Native app-sec requires a different mindset

    The episode explores the unique challenges and considerations in Cloud Native app-sec. It emphasizes the need for a different mindset and approach compared to traditional app-sec, with a focus on visibility, policy, control, and faster remediation.

    Choosing the right vendors and tools is crucial

    The episode highlights the challenges faced by organizations in choosing the right vendors and tools in the cloud security space. It emphasizes the importance of evaluating existing tools, relying on education and peer recommendations, and considering factors such as flexibility, transparency, and unique capabilities.

    Chapters

    1. Topics discussed at the first DEF CON in 1993
    2. Interview with Shannon Leitz about software trust and adversary management
    3. Interview with Melinda Marks about developer-focused security
    4. Metrics for measuring trust in software
    5. Metrics associated with security and resilience
    6. Importance of resilience and security in software
    7. Testing and automation in software security
    8. Collaboration between security teams and developers
    9. Cloud Native app-sec and challenges in cloud security
    10. Key considerations in Cloud Native security
    11. Cloud security challenges and solutions
    12. Considerations for startups and customers in cloud security
    13. Closing remarks and future topics
    Summary
    Transcript

    Topics discussed at the first DEF CON in 1993

    00:01 - 07:28

    • Computer privacy
    • Workplace monitoring
    • Gender roles and discrimination
    • VR liability in simulated worlds

    Interview with Shannon Leitz about software trust and adversary management

    00:01 - 07:28

    • Shannon Leitz is the CEO of Third Score and has extensive experience in technology and cybersecurity
    • Discussion focuses on metrics and trust in software development
    • Rave community aims to create a unified set of metrics that incorporate Dora metrics and secure ability to measure trust in software
    • Current metrics for measuring success or trust are not considered useful by Shannon Leitz
    • Review sites often focus on adoption rates rather than actual measures of trust or success

    Interview with Melinda Marks about developer-focused security

    00:01 - 07:28

    • Melinda Marks is a senior analyst at Enterprise Strategy Group
    • Discussion focuses on shifting left in Cloud Native development
    • Challenges faced by organizations in supporting development as it scales
    • Importance of security teams working with developers in shifting left
    • Developers taking on more responsibilities like testing for better security outcomes

    Metrics for measuring trust in software

    06:58 - 14:31

    • Review sites and comparing features only show adoption, not resilience, adoption, velocity, and error rates (RAVES)
    • Resilience, adoption, velocity, and errors are pillars for trust in software
    • Lack of resilience can lead to churn rate in software adoption
    • Slow velocity of features or fixes can impact trust in software
    • High error rates make it hard to trust software
    • Different people have different metrics they care about for trust
    • Metrics for resilience should be reconciled with availability and security
    • Developers consider resilience when deciding on critical path or latency requirements
    • Risk is related to resilience and security metrics need tolerances
    • Thresholds for metrics need to be set industry-wide to have meaningful conversations about risk tolerance

    Metrics associated with security and resilience

    14:09 - 21:21

    • Metrics associated with security need to have tolerances, such as fixing all publicly available vulnerabilities
    • Default passwords should have a zero tolerance in the environment due to their high risk
    • Comparing availability to security allows for trade-offs and easier conversations with non-experts
    • Resilience is often measured in terms of 'nines', such as five nines being the greatest level of resilience
    • Rave metrics can be adapted to nines and are helpful for specific audiences but not for everyone
    • KPIs and metrics related to security should be business-friendly and developer-friendly first
    • CVSS scores can be useful metadata when considering the denominator of security
    • Resilience issues are commonly associated with security, which is often overlooked due to lack of collaboration between development and security teams
    • Developers want guidance on prioritizing vulnerabilities based on their impact on managers' priorities
    • Product managers need to understand that security should be part of the budget from the beginning of development
    • Error rates and resilience are understandable metrics for developers, while graceful degradation may not apply to security
    • Secure ability, resiliency, and error rates help drive down risk in order to reduce it

    Importance of resilience and security in software

    20:52 - 28:19

    • Resilience is important for uptime and recovery, but security may not have graceful degradation
    • Secure ability refers to the ability to maintain a secure environment
    • Having a defined denominator of vulnerabilities is critical for security control
    • Security will always involve some level of risk management
    • Understanding adversaries' motivations and monetization methods is crucial for threat modeling
    • Applying an adversary profile in testing can help identify vulnerabilities and prioritize mitigation efforts
    • Creating scorecards based on adversary personas can improve security testing and risk mitigation strategies
    • The industry lacks a comprehensive scorecard approach to assess security risks
    • A percentage of website traffic may be abusive, so understanding the extent of abuse is important

    Testing and automation in software security

    27:59 - 34:38

    • Knowing the percentage of abusive traffic coming to your site can be helpful for application security professionals
    • Tuning controls based on the techniques used by adversaries is important
    • Big companies should be able to classify and clear out certain types of traffic themselves, instead of paying for it
    • There should be an easier way to set up offensive testing in environments like Kubernetes
    • Having a test plan associated with hardening guidelines can help ensure secure capabilities
    • Transparency and metrics are important for building trust in software security
    • The Rave community is focused on metrics and sharing information about them
    • Shannon has started writing articles on Medium to share her knowledge and promote software trust
    • Testing ahead of adversaries can reduce surprises and improve software security

    Collaboration between security teams and developers

    41:16 - 47:30

    • Developers want to make their work easier and care about security, but don't want to become security experts
    • Challenges include security having no visibility of development processes and tools
    • Organizations are shifting left through cloud security platform tools, open source tools, and custom tools
    • Friction arises when developers are forced to use security vendor tools that don't align with their workflows
    • Better tools that integrate into developers' workflows and provide confidence in security have been developed
    • Collaboration and understanding between security teams and developers is key for success
    • Consolidating tools and reducing alert fatigue is important for both developers and security teams
    • The traditional linear product development cycle needs to be replaced with a more dynamic approach
    • Security teams need to become enablers of development rather than doing all the testing themselves
    • Security teams should understand cloud native development issues like infrastructure as code templates, misconfigured operations, APIs, and open source software vulnerabilities
    • Working with developers to make things easier for them and automating security processes is crucial
    • Shifting security left means giving developers some responsibilities while providing visibility and control for the security team

    Cloud Native app-sec and challenges in cloud security

    47:07 - 54:34

    • Shifting security left to developers, giving them security responsibilities
    • Developers having visibility and control over security processes
    • AppSec tasks should go away, embracing development work
    • Blending of appsec team with development team in DevSecOps approach
    • Importance of strategic alignment between IT, ops, and AppSec teams
    • Success in cloud native apps with a developer or DevOps mindset in the security team
    • Different titles and roles evolving in cloud security engineering teams
    • Cloud detection and response study to understand organizational approaches to security
    • Aligning security team with business goals to enable instead of block
    • Cybersecurity skills shortage leading to gaps in cloud security expertise
    • Challenges of faster development life cycles and complexity of gaining visibility in dynamic cloud environments

    Key considerations in Cloud Native security

    54:19 - 1:01:30

    • Cloud Native app-sec requires a different mindset and approach compared to traditional app-sec
    • Visibility, policy, control, and faster remediation are key in Cloud Native security
    • Manual labor and wasted time managing multiple tools is a common issue in Cloud Native security
    • Access and entitlement management in Cloud infrastructure often involve manual processes and over-provisioning
    • Confusion arises from the use of acronyms in the cloud security space
    • Vendors sometimes struggle to accurately describe their solutions, leading to confusion for customers
    • Building categories or falling into acronyms doesn't always align with solving real problems efficiently
    • CISOs should focus on scaling teams, gaining visibility, meeting compliance regulations, and responding quickly to threats
    • The concept of a cloud center of excellence is emerging as a potential structure for successful cloud security programs

    Cloud security challenges and solutions

    1:01:04 - 1:08:35

    • Increasing number of cloud center of excellence and security engineers
    • Clueless CISOs with old security mindset frustrate the speaker
    • More training and knowledge sharing to bridge the gap between groups
    • Certain companies have advantages due to cybersecurity skills gaps
    • Custom building solutions for cloud native organizations
    • Importance of evaluating existing tools before adopting new ones
    • Helping vendors communicate honestly and solve customer needs
    • Assisting understaffed or wrongly positioned companies in finding suitable vendors

    Considerations for startups and customers in cloud security

    1:08:14 - 1:15:31

    • For startups, it's important to provide objective information and value demonstrations to gain trust from organizations
    • Organizations in the security industry are skeptical and need clear value propositions without marketing buzz
    • There are many vendors in different categories, making it challenging for customers to choose. They should rely on education, peer recommendations, and trials to find the truth
    • Cloud Native offers the benefit of shorter sales cycles and easier experimentation with SaaS products
    • Subscription models and pay-as-you-go pricing help reduce lock-in issues and increase flexibility in tool selection
    • Financial concerns have led to shorter subscription periods, allowing companies to switch vendors more easily as they grow
    • Startups should focus on being flexible, transparent about pricing, and capable of handling high website traffic for product sales
    • The ability to provide demos or trials that showcase unique capabilities can be a compelling factor for customers
    • Melinda is working on a series with another analyst covering DevOps, app modernization, infrastructure modernization, and security trends
    • Future episodes will explore topics like generative AI implications for development and security, as well as APIs and developer awareness of security

    Closing remarks and future topics

    1:15:11 - 1:16:41

    • Kitty's name is Iris
    • Melinda describes appsec in three words: efficiency, efficacy, and hyphenated cloud native
    • Melinda provides information about modernization cloud and being strategic as CISOs
    • John thanks Melinda and the audience for joining
    • Subscribe, like, and check out the show notes
    • Check out Faded by Hotel Pools
    1