BBQ Cyber Security Thoughts……
During lockdown, I’ve taken to standing over the BBQ staring at the temperature gauge, lifting the lid occasionally and slow cooking various meats. Given the lockdown situation this provided a focal point for the day; something to attend to for the afternoon.
When standing there in a mindful stasis things go through your head, these are some of mine…
- “Software testing Software, who thought that would work?”
- “Using systems with potential vulnerabilities to discover potential vulnerabilities in systems”
- “Shift Left would make more sense if development was linear”
- “The reliance on automation to defend against a human adversary, sounds fair…..💀”
- “We cant improve what we cant measure; We cant secure what we cant see.”
- “We accept false positives in scanners (Software getting it wrong) but we don’t accept vulnerabilities (Software getting it wrong).” – Software testing software.
- “The DevSecOps elephant in the room is “Validation”
“Change gives rise to Risk. Change occurs when a system does not change & When a system changes (duh!!)….Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, Today I’ve a Critical Risk. Need to patch/Redeploy. Also….when a system changes: New features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches this also gives risk to risk.”
“Scale vs Depth – Scanners do scale, Humans “do” depth. – Our enemies “do” depth every time and are focused.”
“Automation accuracy is not a strong as human accuracy – Our attackers are humans.”
- “Shift Left, Shift Right, Not just pushing left, need to push both directions. Eg A System is live, nothing changes but might be vulnerable tomorrow.”
- Shift Left: Prevention. Catch Early. Shift Right: Detection, Vigilance
- Shift Left: Enable & Assist developers build and deploy secure code & systems. Shift Right: Detect “the next CVE” and also mop-up anything that we missed in pre-prod.
- We’re protecting our systems against breach by humans, not scanners right!!