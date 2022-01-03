



The CTO and Contrast Security co-founders help businesses truly improve the security of their apps and APIs.

There are cycles in the history of computing that have been repeated many times. Engineers and IT architects innovate and the result is new technology. They build a platform and its adoption reaches its limits. Shortly thereafter, new, cutting-edge technologies are almost universally used by businesses these days. In infrastructure, this cycle occurred on mainframes for years, then on desktops, physical servers, and virtual servers. For applications, we’ve moved from mainframes to on-premises servers to the web.

Unfortunately, every time this cycle occurs, security innovations lag behind the development and growth of new technologies. As a rule, it takes years for an organization to understand how to protect a new platform. Sadly, just as we’re good at securing something, the world is moving to another technology, essentially throwing away all the security we’ve learned from the last cycle. Ironically, the burden of configuring, maintaining, and monitoring security often drives the transition to next-generation technologies.

Reason for the cycle

Why is this happening? Of course, one reason is that the people involved in the initial development of new technologies are not doing proper security analysis. They focus on the features they are trying to provide. Apparently, they have the idea that security personnel handle back-end issues.

Security is added later as new technologies emerge, so cybercriminals and a small number of talented volunteer security researchers will conduct early penetration testing of new technologies. As a result, breaches occur and people are injured, but due to these attacks, organizations ultimately do a better job of protecting the platform.

Another cycle: cloud-native technology

Today, this cycle is being repeated again with cloud-native technologies such as serverless applications and application programming interfaces (APIs). And security is lagging behind again. Many of the security protocols developed for the final round of innovation do not allow traditional monolithic web applications to work in cloud-native architectures. For example, we need different authentication, session management, authorization, and input validation approaches.

But it’s easy to see why serverless applications are so attractive. With AWS Lambda, the most popular serverless computing platform, you can write applications with just a few lines of code while eliminating the cost and hassle of managing the servers you run. However, it often doesn’t take into account the 50,000 lines of code that might be needed to provide proper visibility and security for the application.

Repeat the same mistake

Having overcome some of these waves, how to manage these cycles seems to be the root of many of our problems in cybersecurity. Security isn’t built into new technology from scratch, so cybercriminals quickly gain a foothold and cause immense damage before they can catch up.

Much has been said about the lack of cybersecurity skills. Millions of cybersecurity positions have not been filled, which is causing serious problems for many organizations. However, the magnitude of the lack of skills is based on a particular model for security. This model is reactive rather than proactive and takes a labor-intensive and brute force approach to responding to threats. Cyber ​​security needs more organizations because our methodology is to put more organizations into the problem.

For example, instead of modeling threats and building strong and proactive controls during application development, organizations scan for vulnerabilities and manually analyze the scans to manually fix issues or vulnerabilities. Accumulate. This consumes a lot of resources and can’t ultimately make your organization much safer than if you didn’t do anything.

Move beyond brute force

Most people may see logic that goes beyond this scatter shot approach, but it has an incredibly strong gravitational pull. Many organizations’ IT governance policies require the use of outdated security technologies and processes when other approaches use fewer resources to provide better protection. At the same time, the rapidly evolving market means that development teams are facing constant pressure to crank out applications even faster than they are today. This makes it easier to get into development rather than spending time designing secure applications before you start coding.

But what if you break away from the gravitational pull of reactive security and refocus on what really matters? You can incorporate security during development instead of adding new technologies later. It can be consistent, prioritized, focused, structured and strategic in the use of people, processes and tools. By providing real-time feedback, we can help developers learn to write more secure code.

At the same time, security needs to be more prominent. If the user knows which software is safer and which is less secure, choose accordingly. The White House issued a presidential directive in May, which could move us in this direction. For example, software vendors need to provide a software bill of materials, such as a material list for an application. For example, you need dramatically more information about why you should believe something is safe before you trust something important, such as elections, finances, or medical care.

A better process of incorporating security into the design of new technologies and better labeling to help users understand the security risks of what they use can result in everyone wanting a technology they can trust. ..

