Well, folks, it's been an interesting couple of weeks.
I've been out and about working with our customers (hence my disappearance from the blog for a while) and their partners - trying to figure out some insight into where we need to provide most support. The conclusions I'm coming to aren't helping me sleep any better at night...
The title of this post is wizard-driven software security testing primarily because this is what I'm seeing as the lead requirement from many of the companies investing in software security assurance as a tool right now.
This is the opposite from the program-based approach we've been advocating for years... so I've been left to wonder why. It's easy to say that as the pool of companies who jump on the "we need to secure our applications" bandwagon, the inevitable result is that the talent pool dries up and they're forced to hire ever-more junior security folks who maybe aren't as strong in software security as they should be (or claim to be).
I'd buy that... but that can't be the only reason, can it?
"The Collective Intelligence is Dropping"
I've read someone earlier today say that the "collective intelligence of the App Security community is dropping"... primarily because of the dilution of talent. There are a number of people who "get it" and their number is increasing - but the numbers of those that are in it because it looked like it would pay well (was the "hot job") is increasing faster.
This is a very real threat to our community, and the collective security posture of your organizations out there.
As it Happens...
So... just what is going on out there in the software security world?... So a quick analysis of the situation is as follows:
- more companies are starting up Software Security Assurance programs than ever before
- the cost of the good talent is increasing, and those that are good are becoming more mobile in the workforce
- the number of business-savvy App Security professionals is not increasing in the proportions we need
- companies are turning to technology to compensate for the sagging talent levels
- the "great divide" is growing between the "get it" vs "check the box" groups
Let Me Just Say...
Technology alone will not save us.
There, I said it, it's on the record. The greatest innovations in technology will just be blunt instruments in the hands of the untrained and unaware. This is a big, big, potentially LulzSec size problem.
Looking at how fast innovation is speeding ahead, it's clear that today's innovation has already outpaced the average "application security analyst" out there in corporate IT. Wait... what does that mean?
The technology already available today for testing your applications is quite complex, but many folks which we run into simply want to push the magic security button and get fast, accurate results. That's simply impossible, but the requirements continue to demonstrate this want. So what do we do?
We must deliver high-scale security technology in an easier-to-consume platform. Whether that's a fully outsourced solution ("in the cloud"), an outsourced + on-premise ("hybrid delivery") solution, or something entirely on the local system ("local install") is to be determined by where the customer we have is on that maturity curve - and what their situation is as far as talent is concerned.
Many organizations would love to have software security handled for them, but for many of them this just isn't practical. Does that mean you shouldn't use an outsourced "in the cloud" solution... of course not. Just make sure that what you do use can grow with you as your needs change.
Software Security Assurance isn't something you install overnight, or stand up over a weekend... it's a long road that involves many aspects of your IT and business organization that you're probably not comfortable with. That's probably the most difficult part - the political block & tackle. Let someone who's done it before show you how - there's no shame in asking for help.
Measured, or it Didn't Happen
Above all, measure it. Whether you're making forward leaps, or backwards strides - measure, measure, measure. Also, make sure what you're measuring makes sense and isn't from some cookie-cutter that won't apply to your line of business, or domain.
Back to the Wizards
So... those wizards. Yes, the technology we in security support changes twice a day. Developers find new and exciting ways to write poorly-secured code faster than you can find ways to 'security patch' it. Get over it.
So the wizards then. The products you use should be intuitive and have a low barrier-to-entry intellectually. They should also be able to grow with your organization as you get better and hone your craft. Point n' shoot cameras are only good if you never want to get better at taking brilliant pictures, and they have their limitations - the same applies to app security technologies.
Meanwhile... we'll be over here trying to balance ease-of-use and power in that wizard interface, enabling that shrinking pool of top App Sec talent to get up the curve faster, and make your applications less risky.
Cross-posted from Following the White Rabbit