It seems as if the Log4j software flaw is going to haunt many applications for some time to come.
DevOps Revolution: How Security Fits Into Modern Applications, With Sam Curry
Transcript of the Fast Chat Below:
Daphna: Hello, thank you for tuning into this fast chat on the DevOps revolution. My name is Daphna Krause. I'm joined by Sam Curry. He is the CSO of Cyber Reason, Inc. And President of Cyber Reason Government Inc. Sam you've told me before that you love talking security, and I know that you're really plugged into the cyber world. Today we're gonna chat about the DevOps revolution, how security fits into modern applications. So let's jump right. What do you see happening right now in the DevOps community?
Sam: Wow. Uh, there's so much happening. It's a little hard to pin it down to just a few things. I think that the primary mission of DevOps isn't security, and I know you wanna talk about the intersection of those things. So I think the first thing to say is, a lot of DevOps people aren't slouches at security, but they have a lot on their plate. There are many, many, many different people who are asking and putting pressure on them. I think the first thing I'd say is that they're becoming more open to higher prioritization of security, security, sort of rising on the agenda.
And that's partly facilitated by DevSecOps, which look, there's lots of definitions for it out there but AppSec has turned into to some degree security for DevOps as one branch. And that familiarity with what the pain of DevOps is, is sort of helping to bridge the gap. And I would say generally, by the way, the biggest gap in most companies from a sort of operations perspective Is these silos that don't connect in security as one of them that don't connect well with the people who are actually doing the work. But DevOps is. Well to say it's agile is redundant, but it's certainly getting more flexible, faster. It's a super hot area everybody is developing in and for the clouds and business is directly tied to, to how well DevOps does its job. And I think that that's also getting seen a lot better by the board and by executives in most companies, but that's a super high-level thing. I apologize for that. It's just a huge subject.
Daphna: Can you explain the general differences between DevSecOps and application security?
Sam: I think of them if they were sets like an event set diagram and a Venn diagram, they overlap. To some degree, and there's definitely been the path from AppSec expertise to DevSecOps and security for DevOps, cuz it's not entirely the same thing either, but AppSec is the traditional software development life cycle. It is the, you know, from inception and architecture to retirement of a product line. But I think of DevSecOps as the living and breathing instantiation of that. In a production environment. So I think I'm gonna give you an analogy and anyone listen to this is probably gonna hate it. It's a little bit like in genetics, the difference between genotype and phenotype, right? So, the study of genetics is the code that goes into making things. And so you could think of AppSec is as really buried in that it's not unaware of what happens. Uh, In genetics genes aren't aware, but the, the people in AppSec aren't aware of what happens downstream, but they're very much focused on the code. That's going to make the objects and the run time.
Whereas DevSecOps is more about the phenotype. So it's a little bit like the difference between perhaps a geneticist and a doctor. They, you know, may have similar core knowledge and care about each other, but they, they're not exactly the same thing, but AppSec has evolved into security for DevOps and for production and for cloud environments in particular.
So that's my horrible attempt to try to differentiate them a little bit, but they do overlap enormously. Somebody out there is wiggling and squirming listening to this going, not quite right, but from a broad direction, that's how I think.
Daphna: It's a good metaphor and kind of explains the complex connections between all these different systems working together.
Sam: This is one of those things. Daphna where you know it when you see it. Right. So if you've been doing it and you're around it, Dunning–Kruger not with standing when you see AppSec being done or you do it, it makes sense. Same thing with security for DevOps, and people in it often have many career options, but I think AppSec the old style, I think ultimately the exciting place to be is doing security around both.
So how does the code arrive and then how does it turn into something and how do you maintain it and how do you live it and breathe it and own it. But that's the fun stuff. As opposed to going on telling engineers, oh, don't do these silly things to some degree. Also. I'd like to think, even though it's far from complete, I'd like to think that more classical engineers are taking a lot more responsibility for security in their processes.
There's sort of a security tax that has to be paid or security debt, much like tech debt. And I think organizations that do well, ultimately take care of that, and you don't depend on outsiders to come in and fix it. In other words, the best security is done by engineering, and the best security is done by DevOps.
Daphna: How do application developers and businesses that use those applications keep up with the cyber threats of the future?
Sam: Well, they kind of don't and that's not a slam on them. There are two kinds of chaos, right? Harari in his book, Sapiens referred to him as first order in second-order chaos, which helps to sort them out.
The first kind of chaos is when you have to deal with things that are adaptive and complex, but they're not intelligently adaptive. I'll give you an example, a hurricane is a threat to the meteorological system, but it doesn't intelligently hunt you out. COVID- 19 is an adaptive, complex threat in the biological system, but it doesn't say, for instance, Hey, my host is walking through an airport, lower my body temperature.
In an intelligent and creepy way, but a second-order chaos is exactly that it is the worst and most insidious type of threat because there's a human intelligence behind it or human-like as we get better at artificial intelligence and that's a whole other subject. So why, why is that relevant? Well, it means that you can't get ahead of it.
You can, you can architecturally come up with things to improve and reduce the likelihood of success, but there's always an innovative human being on the other side. So what we want is big breakthrough stuff that helps us run the race better helps us focus our human intelligence better in defense, helps to bring the advantage to defense.
So it's how do they get ahead of it? Well, there's checkbox basics. They have to do sort of like basic nutrition, but that doesn't make you an athlete. And so I think the most important lesson is, make decisions about things that make you not just more effective in defense, but more efficient in your use of intelligence.
And that's the real race. It's a race of rates between attack and defense. So what do they do? The successful shops generally, they don't look for just take this thing and plug it in. They say, taking this thing and plugging it in, makes me more effective at doing X or Y or makes me more efficient with my people, their focus on those two values of effectiveness and efficiency rather then... hey, what's the one you recommendable solution in the old speaker. What's the, what's the simple, you know, virtual machine that I deploy and plug into things through APIs or whatever that just takes care of stuff, cuz it doesn't work that way with second order chaos.
Daphna: So you mentioned big breakthroughs that need to happen. Do you have any examples of things that you feel that the future needs to have that we don't have right now .
Sam: Wow. Uh, that's huge too. So I think generally speaking, we need to take into account the men and women doing security and how to make them more... efficient, how to make their learning curves. You know, we talk about a gap in security in, in terms of talent, but how do we recruit better?
How do we make this a more inviting industry? How do we make it more accessible instead of saying, Hey, we're arcane and esoteric and you're just gonna have to deal with that. Cuz we're special. I think there's some huge innovations we could make, not in the leaky abstraction way to dumb it. but rather to make the user experience such that we're focusing on the task sooner, see you, the more you're focusing on a tool and learning a tool, the less you're actually learning how to do the job.
In other words, if I have to figure out how to use the tools of carpentry, I'm not actually doing much carpentry. So we want those tools to be more intuitive. And in any form, leaky abstraction is an engineering term that says whenever you make an abstraction layer, like a dashboard or a set of tools, that there's always some loss and some complexity that's missed by the person at the keyboard.
So there's always gonna be things you gotta do to learn networking and crypto and how applications work and internals and systems and forensics, but it doesn't have to be as hard as it is, and it can be more accessible. And so I think that's one area. Another is I don't really think we've got to adaptive.
I'm gonna say authorization. We talked about adaptive authentication till we're blue in the face. Cuz we can do that. We can do MFA in many new ways, but I mean truly verifiable, um, not deterministic, meaning you don't have to write who can do what all the time in an endless series of unmanageable policies, but derivable on the fly complex authorization.
I think this huge breakthrough is waiting to be made there. I also think. There's a body of work to be done, to figure out how to get ahead of the bad guys when they, when they start their attack runs, but let's close some doors. And even if deception technologies have sort of become a passé thing now that doesn't mean they're not gonna work.
If you look at a hype cycle, like Gartners, there's this slough of disillusion and I think, or sloth of disillusion, they say where everybody's like, yeah, yeah, I've been there, done that. But then technology becomes useful. And I think that there's some deceptive technologies that are gonna become useful.
Well, you know, our job is to effectively stop the bad guys sooner and faster and more completely and eventually predictively. And I think that involves everything from better signal, finding, tightening up and getting closer to zero trust. I don't believe in zero trust. Just getting closer to it's like a limit in calculus.
And then eventually being able to waste their time. If these are races, let's make them spend theirs in a futile way. And there's probably a ton of other areas everyone's gonna say, well, what about quantum proof crypto? I'm like, that's important, but I don't think it's urgent that may change very, very soon or it may not.
We'll see, but I'm looking at the things that are important and urgent. And right now the bad guys are just much more effective at simple things. The list of things that could be broken from a vulnerability perspective is enormous. And we barely know the tip of the iceberg on those. So how do we get ahead and block that stuff? Deny them.
Daphna: Sam. Thank you so much for your time and to our listeners thanks for sticking around. For more information about Rampart AI, head to rampart-ai.com. Until next time stay secure.
