I was recently invited to give the opening keynote “Dude, Where my Security?” at DevSecCon in Tel Aviv this coming May. An honour I humbly accepted. In anticipation for this first time event in this beautiful country, I was asked to write a blog to provide some insight into this talk.
Original works published on the DevSecCon blog site on 4/4/2018.
Shift Left and Group Hug!
Twenty years ago, when I started out in tech with University degree in hand, there were 2 paths you could take, a computer programmer/software engineer or system administrator. The internet was raw, we used Netscape Navigator or Mosaic to browse sites, and Yahoo or Alta Vista as a search engine. Vax and Unix were the OS of choice and using telnet or rlogin to move between systems was the norm. If you decided to take on the Windows world, you might have been lucky to get Novell NetWare training. If you don’t know what I am talking about, trust me, we would rather forget it too. Some of us took sales roles, but the rest of us stayed the course.
As someone who enjoyed coding software at the OS layer, I accepted a position with the Department of Defence. There were no limits in the technology available, research and development was limited only by our imaginations. No idea was off the table. Given every project was classified, many had small dedicated teams working together to design, model, development, test and monitor, with up and cross-skilling encouraged. Software standards and processes were written for everything, programmers never forgot to comment their code, catch/exception clauses were not features we added as we had “spare time on your hands”, validating input was not an obsessive pastime, it mattered. Repeatable patterns and automating as much as possible was key; mindset, collaboration and knowledge – sharing wasn’t an after-work activity.
Moving to the private sector as a software developer felt very uncomfortable. Having come from such a structured environment, teams were protective of their space. Coders were coders, testers were testers, and security teams were the “NO people”. System administrators became an undervalued resource with applications owners forcing the OS build to go against the SOE. The list of foreseen security vulnerabilities was endless. This made for a highly stressful work environment; everyone working on their piece, in their niche area, communication was nominal, minimal collaboration, and no one leveraged the skillsets of others to gain the best outcome for the client.
Security never seemed like it was priority. The focus was always customer functionality, project requirements, and let’s not get started on scope creep! ‘Client expectation’ vs ‘budget reality’ was a challenging area, and still remains that way today. All projects were managed to some type of software development framework, which every organisation implemented differently. Being a cost-effective and quick software developer almost always got you rewarded, KPI’s were met, yearly bonus paid out, and recognition by management. I personally felt that the budgetary estimates were regularly underestimated, and code was always rushed, causing security nightmares at the end of the project, or worse, after its release (more money!!).
One of my major stress factors while working in the private sector was ensuring I never over-charged my clients for my work and keeping within budget. Even when I delivered the software on-time, I always felt it was rushed. The code was not well planned or designed, or it could have been written better (reusable and faster). I recall coding through countless evenings without billing the client, to ensure quality business functionality and desired outcomes. Some might argue that I was an ineffective programmer, or perhaps I was a perfectionist. Whatever the reason, I struggled with promoting my code into production if I knew it wasn’t properly tested.
I become professionally challenged with the coding practices in the private sector. Lack of quality and training of staff made me disillusioned and I started to question my career choices. Secure coding seems to be a dirty word and it was at fight at every stage. Shifting left and basic influencing was an impossible task. Without management buy-in, or even peer understanding, shifting security in any direction would have been a win.
There is a lot each industry can learn from one another. Whether it’s the DoD or an on-line shopping cart, the end goal is always to deliver new business functionality through the use of technology. When I reflect on my time in the government, not all personalities clicked in that window-less office, but everyone worked towards a common goal. Whether it was during a 5 min standup, or a weekly run down of the entire team project plan, you saw what the hardware person was doing, the UI challenges, how the ML rules were coming along, or the struggles of not being able to encrypt the information in the database. Everyone providing input on how to problem solve. The mindset wasn’t, “its not in my job title, so who cares”! R&D is for everyone and if you don’t know, you go and find out. The passion and thirst to make that difference and develop a product to be proud of. So much of that was missing for me in the private sector, and conferences like DevSecCon are bringing all these values back.
It’s such an exciting time to be alive with so many amazing advances in technology. Even though I have since made the move to Information Security, the DevSecOps movement is close to my heart where mindset, collaboration and teamwork meet. Working in silos must become extinct. As an industry we need to stop doing what we have always done simply because it’s always been done that way. Change is coming whether the industry is ready or not!
‘Dude, where’s my security?’ is a story of how collaboration and cross-skilling works. I will compare the silo team mindset with the community mindset that I once had the pleasure to experience. I hope to see many of you at the opening keynote at DevSecCon Tel Aviv where everyone is making the security shift left.