“We need to repackage security work in a way that ordinary DevOps projects can consume it”
How do we keep our code and ourselves safe? In this interview, Jeff Williams, co-founder and chief technology officer at Contrast Security explains why we have to reinvent security, why DevSecOps is so important, and how to avoid taking serious risks in applications.
JAXenter: Security is one of the most talked about topics these days but that’s not necessarily a good thing — not with everything that’s happening right now. Should we reinvent security?
Jeff Williams: We have to reinvent security. We’ve been doing the same monolithic, test at the end, heavyweight processes for 20 years and are still not good at even basic blocking and tackling, much less the advanced threats.
JAXenter: Greg Bledsoe, a top DevOps influencer told us last year that the latest trend in DevOps is to achieve DevSecOps. Do you agree with his statement?
Jeff Williams: DevSecOps is a critical trend because it offers us the opportunity to reconnect with software development in a very fundamental way. DevSecOps isn’t just taking existing security approaches and shoving them in-between Dev and Ops.
There are some seriously crazy risks being taken.
Instead, I believe that we must rethink the “work” of security to make it compatible with a DevOps organization. Essentially, we need to repackage security work in a way that ordinary DevOps projects can consume it and deliver great results… without impossible to find security experts in the critical path.
JAXenter: Are organizations doing enough to protect themselves from digital threats?
Jeff Williams: No. There are some seriously crazy risks being taken. Almost every application in existence contains at least one of the OWASP Top Ten vulnerabilities, which has remained essentially unchanged for 15 years. Also, essentially zero web applications and APIs can detect when they are under attack, or take action to block those attacks.
In fact, most applications need to be rewritten, retested, and redeployed. This can take days or weeks per application. But new attacks start within hours of the release of a new vulnerability. That’s an unacceptable window of exposure. The Struts2 vulnerability released last month is a good example.
JAXenter: What could they do? Do you have some tips or lessons that you learned the hard way?
Jeff Williams: First, know exactly what code and components are running where. It’s simple, but just knowing your application inventory is a great first step.
Second, focus on a few of the most critical risks and make sure you stamp them out of your applications. I recommend using IAST technologies for this as they are easier and more accurate.
Third, make sure you have runtime protection capability for all your applications. Otherwise, you have no visibility into how attackers are targeting you and cannot respond to new attacks.
JAXenter: Where is DevOps heading and how can we use it to our advantage?
Jeff Williams: DevOps is taking over software development. Most organizations are somewhere in their “DevOps Journey” already. I think the key thing to remember about DevOps is that it’s a way of staying on track to deliver value to the customer. If security could simply learn that lesson, it would be a great start. But DevOps also provides a solid foundation (processes and toolchain) that security can leverage.
DevOps is taking over software development.
JAXenter: What should people know about cybersecurity that they are not aware of yet?
Jeff Williams: I think most people would be extremely surprised to know just how vulnerable the software we use is. The average application has 26.8 serious vulnerabilities. I think 1 or 2 would be concerning, but this is really negligent.
JAXenter: What is the biggest misconception about cybersecurity?
Jeff Williams: I think maybe the biggest misconception is that hacking is glamorous. The best security researchers are the ones that can work like a crime lab to quickly and scientifically evaluate applications and find a condition that confirms one of their vulnerability hypotheses.
JAXenter: What are the benefits of adopting a security framework?
Jeff Williams: Security frameworks, like the NIST CSF, help organizations ensure that they don’t have any huge gaps at the highest level of their security architecture. You can use the framework to understand the coverage of the products, processes, and other defenses that you have in place.
The danger of these frameworks is in the details. You might think that a static analysis tool is giving you good coverage over the application security part of the framework. But you wouldn’t be able to see that static tools are limited in the types of vulnerabilities they can find, and they introduce many false positives and false negatives.