11.7 seconds, that is how often the team of engineers are deploying code everyday at Amazon. Companies like Amazon and Netflix are releasing thousands of times a day to help them reduce the duration and number of service outages. With increasing pressures to deliver value faster, software is being released faster than it ever has been before, and in turn this is shifting the security landscape.
The Application Security Landscape:
The number of cyber attacks continues to rise year over year. According to the latest statistics from the Statista.com. The number of data records exposed hit an all time high in 2018 (the number was not released yet for 2019 at the time of writing this article).
On the other hand, 2019 was not good for cyber security at all. From technology gorillas like Google and Facebook, bank giants such as Capital One, Government departments such as U.S Customs and Borders all the way to your local hospital and police force.
The threat continues to grow in 2020. In order to understand the causes behind that increase, we need to explore the threat landscape:
A) A painful shift left approach
“Shift left” is a concept that suggests moving security testing earlier (or left) in the software development lifecycle. This, most of the time involves development teams integrating tools and processes to ensure the security of the code being written and shipped to production. This concept is easier said than done. A software development job today is a very complicated one, there is a cognitive overload on the software developer to not only understand but master, well all software development fundamentals, but a plethora of other technologies, libraries, frameworks, methodologies and cloud architecture, and deployment tools and processes. Let alone worry about code quality, scalability, readability and performance. It is not a surprise that writing secure code might not be one of the developer’s main concerns. How could it be when deadlines continues to be the main driver behind most decisions in a software development organization. So in 2020, developers will have more competing priorities that add to the cognitive overload.
B) Proof of Compliance and security hygiene
Historically, one of the main drivers behind cyber security, other than avoiding cyber attacks, is compliance. However, for the longest time compliance was vertically integrated. So industries like Banking, financial services and healthcare, were under heavy security compliance, other industries lacked any kind of security compliance. 2017 and 2018 saw greater push for more nation-wide compliance, for example:
- GDPR: The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
- Australian Government Government Information Security Manual: The purpose of the ISM is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats.
- UK Minimum Cyber Security Standard: this is a set of standards that the government except departments to adhere to and exceed whenever possible.
- Canada Baseline Cyber Security Controls for small and medium organizations: publication intended for small and medium organizations in Canada that want recommendations to improve their resiliency via cyber security investments.
Want to see where you stand against Canadian cyber security standards?
Beyond regulations and guidelines, high-profile incidents and trends that occurred in the last couple of years such as the Equifax breach led to cyber security gaining momentum both vertically and horizontally. During the last two years, for the first time in history, the industry started to see C-Suite shake-ups due to cyber attacks. Capital One, Target and Uber are good examples. This made cybersecurity a common boardroom discussion. Cyber risk awareness has gone horizontal as well, attacks like ransomware hit hard everywhere from enterprises, universities, municipalities and small businesses.
This resulted in a growing appetite for security hygiene. Particularly in non-regulated industries where there are no blueprints for security. Software development organizations particularly are most vulnerable. As most of the software development activities are hosted outside the perimeter, this forces management to think more about security controls and practices. Source code is hosted at GitHub, built using CircleCI, continuous integration and continuous delivery using Travis or TeamCity, sending emails using MailGun, payments using Stripe, database using RDS on AWS, deployed using an EC2 on AWS or Azure. Let alone developers working from home, outsourced developers all over the globe. Companies have seen years of development efforts lost to breaches, misconfigurations and sometimes negligence. The lack of formal security education combined with the increase of security skills demand exacerbates the problem.
C) Cybersecurity skills gap widens:
Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up to 20% from 1.5 million in 2015, according to the Center for Cyber Safety and Education. While more and more colleges and universities are offering cyber security courses, most programs do not offer anywhere near enough to prepare students for real cyber security work. According to Forbes magazine: The cybersecurity skills gap won’t be solved in a classroom, considering the fact that nearly 80% of ethical hackers are self-taught.
Additionally, most cyber security jobs are not available for fresh grades, not without experience. When the ratio between software developers and security engineers in a typical enterprise is 100:1 it is very hard for that one security engineer to be a junior. This makes it even harder for new professionals to enter the workforce. In reality, a cyber security profession is a highly trained and highly certified profession. According to CSO Online magazine: “In reality, the profession is stuck in a never-ending need to catch up with developing cyberthreats, in turn creating distance between qualified professionals’ knowledge and the threatscape they are defending against.”
Thanks for reading 🙂
Want more content like this?