We’ve had Solar Winds. Kaseya. Microsoft Exchange. We’ve heard of millions upon millions of personal data files being hacked and exploited. So, why was it that the Colonial Pipeline ransomware attack was the one to get people focused on software and infrastructure security?
The easy answer is because it hit consumers at the gas pump, and made gasoline very hard to get in other places. With a public outcry like that, it’s no wonder that people took notice — people in security positions, to politicians calling for investigations, to the C suites of many organizations.
There were some among us, though, who had already taken notice — security engineers who’ve been literally howling about poorly written code and vulnerabilities for years. And the move to remote work also focused IT and security professionals to push for more effort.
Mark Ralls, president and COO of Invicti Security, said that at the Black Hat security conference early last month, there was a palpable sense that there have never been so many big security issues in a short period of time. Among the conference attendees, Ralls said, the general reaction to the Colonial ransomware attack was “not like any sort of shock or surprise. The reaction was, why did it take lines at gas pumps, when there’s been this steady trickle of hospitals getting shut down, city and local government, police forces. And so I think there’s this almost kind of weariness over the fact that, ‘Oh, my God, that’s what they pay attention to?'”
Security teams, Ralls said, have been trying to get more attention to the problem for a long time, as they see first-hand that things have been out of control. “Security people were frustrated that that’s what it took, but they’re glad attention is being focused on the problem.”
Part of the problem is the disconnect between the C suite and the developers on the ground, Ralls explained. In a survey Invicti did of developer managers and developers, they found those workers were much more worried about security than the higher-ups in the organization. “Senior leadership were massively more confident that every application was being scanned, that security is built in their process. And the lower in the organization you went, they’re all kind of worried. And then you go down to the practitioner level, and they’re very worried.”
Perhaps the disconnect is a lack of visibility in the reporting, or maybe it’s the squeaky wheel not getting rewarded, Ralls speculated. This might be leading to people just doing their jobs to the best of their ability and not escalating things up the chain as often.
Ralls also laid security problems squarely at the feet of the new complexities required to build applications and deliver new features or bug fixes at ever-increasing speeds. “Agile is almost everywhere, and with Agile come microservices and increased use of APIs and breaking the application apart,” he said. “And if your security can’t keep up and you don’t want to be the one to throw a wrench in the works and prevent the latest release from going out, there’s a long-tail risk of a very bad outcome.”
He went on to say that if you’re not communicating these issues up the chain, it’s only natural for the C-level executives to say, “Well, security’s not freaking out so therefore, we must be secure.”
At Black Hat, Ralls said, one of the keynote speakers was lamenting the fact that the industry has been talking about such application vulnerabilities as cross-site scripting and SQL injection for 20 years and yet they have not been eradicated. “There’s always been a sense of it’ll get solved at the platform level, or some other level,” Ralls said. “I think we have to get to the point that just isn’t going to happen. And so, we’ve got to help developers create their code more securely.”