CyberTech has historically been a great event for us, winning the CyberTech TLV 2019 competition as the most innovative and disruptive solution in Cyber – and the event in Rome was as successful, in different ways.
The event was a great opportunity for Italian Cyber, InfoSec and IT professionals to get up to speed with the latest and cutting edge CyberSec technologies, especially with those exhibiting in the Innovation Zone, as we were.
It was also a great opportunity for us to learn more about the Italian market and more importantly, the current status of Italian enterprise and public body organisations in terms of their InfoSec and cyber security practises and posture.
Globally, it is clear that the cyber security industry is growing, fuelled by companies realising that simply being compliant will not cut it, especially in the wake of the high profile attacks and breaches over the last 12 months.
I had an absolute whirlwind of a week with my colleagues, enjoying back-to-back-to-back meetings, speaking to almost 100 people / organisations across a complete cross-section of industries and sectors, who specifically wanted to understand how they could approach developing and releasing more secure applications, faster, whilst also being able to scale the testing of their applications in production.
There were several common themes across every engagement we had, but I will use one example that highlights all the salient lessons I learnt.
Speaking to InfoSec representatives of one Public Services organisation, who will of course remain unnamed, they were completely disjointed from the development team. They were candid in their responses – they knew absolutely nothing about the security measures, in particular the AppSec testing, that their development colleagues had in place prior to release, even though they headed up InfoSec. They would perform periodic (but not regular) testing, that would consist mainly of manual testing internally, but admitted they didn’t have a sizeable team with the requisite experience to cover the 950 applications they continue to manage. Over 700 of the applications they have are legacy ones (a common theme across industries and sectors we spoke to), on old frameworks and languages and current DAST tools simply do not work. When asked how much they spend on manual PT, the universal “Mama Mia..!” explained its magnitude perfectly.
Interestingly, whilst speaking to them, another delegate approached our stand and started talking to my colleague, only for me to notice from his pass around his neck, that they were from the same organisation! They had never met (which with thousands of employees was understandable) and after making our introductions, we realised we had the development to left of me, InfoSec to the right, “here I am…..at CyberTech with you…”
Normally played out over a webex, I had the benefit of now being able to watch two departments that are intrinsic to an organisations security, whose actions directly effect each other, discuss their issues.
The immature DevOps process relied solely on SAST. They were not happy with it and the false positives created, a major drain on their resource. They wanted to implement DAST, but after a few evaluations and PoCs, they realised that the tools would slow them down and not give them the coverage they need.
The InfoSec guys complained that too many vulnerabilities were getting through, the detection of these was too late and the mammoth task of effectively prioritising remediation had snowballed so much that they didn’t even know where to start..!
Sounds familiar..? They and you are not alone and is why the concept of DevSecOps is one that is gaining more and more traction, but is at the embryonic stages in Italy at the moment.
It’s well known that software vulnerabilities are the main cause of successful cyber attacks and data breaches, an issue that needs to be addressed immediately.
The processes adopted by companies to develop software and organisation’s dependency on these applications has changed exponentially, resulting in a greater exposure to risk.
Everyone agrees that application security is a business critical process, but is one that historically does not compliment or indeed fit the application / software development methodologies like DevOps and so is doomed to failure, failure at being used or integrated into the processes at all, so as not to impact on the commercial business goals.
All of the engagements that I had agreed that in order to succeed, the gap between security and development needs to be eradicated all together.
The interest in our innovative approach and the pain points we remove was amazing – we spoke about how easy it is to embed and to seamlessly integrate comprehensive, accurate and automated security testing into the DevOps process, regardless of the maturity of the DevOps process, or indeed if they had one yet at all.
They were able to understand that with the solutions on our AIAST platform (like NexDAST and NexPloit), that deliver simple to use, intuitive and unrivalled testing capabilities that require no cyber security experience, security testing can be put into the hands of their developers, integrated into their agile development or unit testing processes and / or enabling even their QA to introduce automated AppSec security testing.
Based in the UK, the number of Brexit jokes I had to endure over the trip was understandable, but whilst we determine if its better to be in or not, to be unified or not, one thing is for certain….a union of DevOps and security is of paramount importance to reduce exposure and AppSec Testing automation is the only way of effectively achieving this.