November 11, 2019
Cyber Security Needs a Paradigm Shift Now
By: Uri Bar-El, Senior Vice-President and Head of Qualitest Cyber Security
Cyber Security Needs a Paradigm Shift Now
Six months ago, I came back from early retirement to join Qualitest, a QA professional services firm with 3,500 Quality Engineers across the US, UK, India and Israel. I joined with the mandate to build a cyber security practice within Qualitest. The goal was to harness the right talent, build the needed capabilities and make a big impact on the market; in other words – change the game.
My first challenge was to identify the company’s DNA and how can we change the security testing landscape for the better by building on this DNA.
After spending 20 years in the cyber security sector I know that we, the security professionals, need to adjust ourselves to the ever-changing technological landscape if we are to keep providing value.
But the security testing landscape has not changed enough in the past 20 years and is experiencing stagnation issues, demonstrated by the fact that a penetration test is still considered to be a key assurance tool.
While the technological side of the security industry is trying to adjust itself to the new rapid development methodologies, it is now clear that technology alone will not be able to support these trends and that a cultural, methodological, human-intensive change is required in order to make security fit for purpose again and actually add value to the modern products’ lifecycle.
Is penetration testing still relevant?
Penetration testing is not only a technical exercise. It is a mindset. Having this mindset is a special trait and does play a very important role in the cyber security practice and the never ending “cat and mouse” chase.
We need this mindset to be present and more widespread. We need to think about the complex, unusual and non-standard ways to “break” a product or a service. We need this mindset to be able to think ahead not only with today’s technology in mind but with the technological landscape of tomorrow if we want to gain progress and keep the good guys ahead of the curve.
The existing situation, in which security testing in its current perception still needs to address the known and mature part of the security domain as well as innovative, future thinking part, results in a contradiction of skills and objectives.
Like any innovation “S” curve, cyber security is a big part of it that is mature. Known vulnerabilities such as the OWASP top 10, and ways to test for these vulnerabilities, require methodical processes and tools. It needs to be repeatable, scalable and provide the widest coverage.
Cyber security should be “normalized” and tested by the same professionals who test our systems for performance, functionality, or any other type of Quality Assurance testing. It should be like any other bug. Cyber security testing no longer requires the unique skills and mindset of cyber security experts like it used to. Testing for these vulnerabilities using these highly skilled individuals is misusing their skills and allowing for the skill gap to widen and for the attackers to gain headway.
Security must be established internally, not externally
As long as security remains an external entity to the software development processes in an organization, real security progress cannot be achieved.
As someone who has spent two decades consulting to companies on how to handle cyber security, I fully understand why the past and current nature of security is pointing at the problem, rather than being a part of the solution.
Keeping security external also results in a much more severe repercussion – it removes true accountability. With DevOps on the rise, accountability for a product’s security level is being narrowed down and focused.
While security practices in an organization can provide guidance to development teams, accountability for the product’s security level is “shared” between the developers, operations and CISO organizations.
The Role of the CISO
The traditional role of the CISO is, or rather should be, constantly changing along with the technological and business landscape. With the influx of security technologies today that an average CISO needs to deal with on the corporate side, there is a completely different domain – the software development side – which was left behind.
Traditional security practices can just about provide solutions for “traditional” development practices, but with the rapid development trends and IT changes, traditional security tools and practices fail to add value and even worse, complicate and clutter the development process, rendering itself useless.
Because of the different skills set required by the CISO, together with the technological influx, it now becomes clear the role of the CISO will be split into two – Securing the corporate and securing product development.