Chapter 31. All Signs Point to a Schism in Cybersecurity

Ian Barwise

A schism is a division or disunion, especially into mutually opposed parties.

The cybersecurity industry is at a crossroads. Each week there are new reports of data breaches and ransomware attacks that expose personally identifiable information (PII) and personal health information (PHI) as well as financial, proprietary, password, and sensitive information that is very damaging to individuals, organizations, and governments across all industries. We will continue to see the effects of these breaches for years to come.

But it’s not as if computers or networks and the technical protocols they operate on are new inventions and it’s not as though cybersecurity is some new field of study. Information and communications technology (ICT) has been around for decades and the entire time it has existed, there have been vulnerabilities that have been consistently exploited by criminal hackers. It’s not new; this is an old game of whack-a-mole. You patch one hole and they pop up through another.

There is a schism that has formed within the information security industry and the rest of the world including commercial industry, government, and criminal enterprises. As employers’ performance expectations continue to rise and they continue to complain about a self-perceived “skills gap” there is a mountain of evidence to support the fact that employers don’t understand cybersecurity, don’t write their job requirements correctly, and aren’t willing to pay cybersecurity professionals competitive salaries or offer them quality benefits. Meanwhile, cyber threat actors could care less about any of this. They see your organization’s lack of a coherent, well-defended network as a juicy target that is ripe for exploitation.

Attackers Have Always Had the Advantage

Sourcegraph surveyed 500 North American software developers and revealed that software devs are in 2020 now managing 100 times more code today than they did in 2010.1 That is just insane to think about. Imagine if you had to penetration test 100 times more systems a year just to earn the same amount of salary you make now. How about if you had to manage and monitor 100 times more information systems?

It’s daunting to think about yet everyone is quick to point fingers at the devs who write the code that gets exploited. Mind you, salaries have not gone up 100 times since 2010 but employers expect employees to perform much more each year. Sound fair to you? When people ask why there seems to be a never-ending amount of exploitable vulnerabilities in software applications, it’s not difficult to understand why.

Humans are fallible and can’t possibly be expected to write that much code quickly and proofread it for accuracy as they go. We are not machines. “But there are tools for checking code,” you say. Yes, of course. We are aware. Like artificial intelligence and machine learning, however, these tools and capabilities are only as good as the code and biased algorithms we program them to operate with.

The pressure on devs to produce, produce, produce is unreal. The tempo of DevSecOps in some of the organizations I’ve worked in is unreal, even unsustainable I would venture to say. Burnout is coming for you! “Just get the code to production, we can patch the flaws later!” I can hear the Scrum Masters now. Another team will take care of fixing your code flaws. There is room in the Agile software development process for security to be overlooked. Continuous improvement of the tools that we use to check code is imperative as well.

1 Jim Salter, “Sourcegraph: Devs Are Managing 100x More Code Now Than They Did in 2010,” Ars Technica, October 1, 2020, https://arstechnica.com/gadgets/2020/10/sourcegraph-devs-are-managing-100x-more-code-now-than-they-did-in-2010/.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.94.102.228