Outnumbered, Again


July 30, 2014 By Derek Weeks

outnumbered_by_jamesjiaxu-d5xemlg

The Morning Paper

I remember it clearly.  Sitting down for breakfast, I opened the Sydney Morning Herald to see the latest headlines in Australia for the day.  As I shuffled through the paper, I finally landed upon the Technology section and then noticed pages and pages of “help wanted” ads.

It then hit me like a pound of bricks.  The number of job openings just seemed to outnumber the local population of available candidates.  There simply were not enough people with the right skills to fill those roles locally.  If I were a hiring manager there, pickings might be slim, and I might be better off to look for alternatives, perhaps looking abroad for more talent pools or turning to automation.

Triggering Flashbacks

Last week, I was reading an article on the Securosis blog called “In Search of…Responders”.  The article triggered my flashback to that breakfast I had in Sydney, when the author commented:

“It seems like every conversation we have with CISOs or other senior security professionals these days turns at some point to finding staff to handle attacks. Open positions stay open for extended periods. These organizations really need to be creative to find promising staffers and invest in training them, even though they often soon move on to a higher-paid consulting job or another firm. If you are in this position, you aren’t unique.   Even the incident response specialist shops are resource constrained. There just aren’t enough people to meet demand.“

It struck me that for our customers and potential clients, the number of attackers skilled at targeting and breaching applications likely far-outweighed the staff to handle the attacks.  There were too many applications to protect, without sufficient staff to protect them, and too many predators looking for an entry point.

Here We Are:  Outnumbered, Again

As Dan Geer wrote earlier this year, “where there is enough prey, there will be predators”.  But the prey is not helpless.  As Securosis pointed out, we can react with better training to ensure people have the right skills to defend against attacks.  We can also prioritize our focus on the most common attack vectors leading to a breach (today, the application is the top attack vector).  Another approach is to automate defenses.

At Sonatype, we know there are a number of immutable truths within application development.  One is that use of open source components within application development will not end anytime soon. Having managed 13 billion download requests last year from the Central Repository, we know the volume of consumption is huge and is driven by an application development team’s ability to get new features and releases out quickly (note, there are only 11 million developers worldwide). DevOps is also driving development to release often — sometimes 50 times a week — placing more emphasis on speed.

For application security professionals, no matter how skilled, there is no way to keep up with the pace of development using a manual approach.  You are outnumbered on too many fronts:  too many developers, too many applications, too many open source or third-party components used, and too many releases.

Nobody Like Taxes

If you are a CISO or application development professional, automation will be a key part of your success.  Application security has to keep pace with development, or it will simply be considered a tax. Nobody likes taxes. We recommend automating application security across the software development lifecycle. Start by automating daily repository health checks, allowing you to see what risks or vulnerabilities reside in the component managers used by development every day. Automate quality checks within the developer’s IDE, showing them where known security flaws, license risks, or quality issues exist within the components they are using — at the moment of selection.  And automate policy checks across the development stages within the build and CI platforms.  All of these automation points work at the speed of development.  And when you are outnumbered, automation will be a cornerstone to your success.

(Image Credit: http://31.media.tumblr.com/c9531b57795054a14ca94f76090c2eb7/tumblr_mnyeftoL9R1qk87fio1_500.jpg)