Two Decades of Learning This Lesson
How many times have you heard that humans are the greatest threat to cybersecurity? Not enough, apparently, because it’s truer than ever – 95% of all cyber-attacks can be linked to human error according to the World Economic Forum.
But we also don’t receive enough reminders that humans are the greatest asset to cybersecurity too. People can help or hurt the effort more than anything else. All the tech in the world can’t help us advance unless the staff operating it are informed. People ultimately make the difference and drive our industry forward by leaps and bounds.
Our founder, Dr. James A. Whittaker, baked that idea into our DNA. When he started Security Innovation, he operated according to the deeply held belief that people were the key to software security specifically and software quality overall.
Now, two decades later, we (and many in the industry) have wholeheartedly embraced the unshakeable belief that software security begins and ends with people. Organizations have proven that despite major IT investments, their risk profile, attack surface, and vulnerabilities didn’t improve at a rate commensurate with the investment made in tech solutions alone.
Swimming Against the Stream of Cybersecurity
We have always done things a little differently at Security Innovation, and that was evident from our first days in business. We came out of the gate advocating for a broader and better security testing process so that defensive measures could be engineered into every phase of software development.
Prevailing wisdom at the time said just the opposite: people are irrelevant because tools like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are perfectly adequate. Despite those tools having features specific to the OWASP Top 10, those vulnerabilities are still being exploited and several have existed on the list for over 15 years!
In 2009, we presented research at RSA Conference with IDC on a long-term study into software security. The findings were astounding. Most companies reached application security “maturity” after investing in security tools, seeing disappointing results, and being forces to make adjustments. They realized that improvements in process and people needed to be in place first before they could take advantage of any tooling/automation. In other words, they had to get burned (at least) once before they learned the lesson.
Learning Our Own Lesson Along the Way
Attitudes around software security have evolved since we started, including our own. Yes, we had some missteps too!
Early on, despite our emphasis on tools second, we poured energy into building a tool of our own: Holodeck, a hostile environment simulation tool. It was full of bells and whistles and impressive in many ways. But it only served a narrow population of power users, and the technology landscape was changing so rapidly, it became obsolete after several years. We realized that using a sophisticated tool required knowledge and skill.
We learned the same type of lesson again when we tried to build a database of secure development best practices. It made logical sense to capture the deep knowledge we had gained. But our efforts also underscored that a reference tool was not the same as comprehensive training or expert developers. Knowledge is power. But as we discovered, it’s more powerful in a brain than a reference database.
We’ve also adapted the philosophy we started with 20 years ago to the changing nature of technology. Software development itself has evolved from hand coding to assembling apps from building blocks of pre-made code, and the rise of DevOps gets many different stakeholders involved with software. Developers are now just one part of security. So instead of just training developers, we’ve expanded who we train, how, and in what manner.
Many companies have now “learned their lesson”, realizing that good AppSec programs start with knowledge and are optimized with tools – that tools and tech are only as good as the people using and configuring them. We’ve covered this topic recently on a number of EdTalks shows – worth a listen.
Changing Attitudes Around Cybersecurity
A recent CrowdStrike survey showed that 84% of CIOs believe software supply chain attacks – where hackers leverage software vulnerabilities to extend their attacks or reach specific targets – will become one of the largest threats within 3 years. Software security clearly still has progress to make.
But things are starting to get better.
The rest of the software world has slowly but surely shifted in our direction. As software continues its’ march toward world domination, security has moved to front and center. Technology changes so quickly that believing that tools alone address the core problem of building, operating, and defending software is a fallacy.
Tools and technology are essential to have in any AppSec program. They find and flag common vulnerabilities faster than humans. However, organizations need to make sure they have the knowledge to get full value out of tools, otherwise the ROI isn’t there. Finding the balance between breadth of risk reduction achieved by automation and depth achieved with know-how is the key.
Our 20th anniversary has us reflecting on all that has changed since day one and all the lessons we have learned along the way. One thing that hasn’t changed is the starring role that people play in cybersecurity. We’ll continue our mission to help support, teach, and transfer knowledge to this most precious cyber resource.