James Wickett

I'm here to talk to you today about security is in crisis.

This is like a five-minute version of a long talk that I've given before. So I've never done that before, so this may not go exactly right, but we'll hang with it here. And I think that once we see that we're in crisis, we'll see the journey that comes forth.

I work over at Signal Sciences. I do a lot of stuff over there. I have some classes that I've taught on lynda.com and LinkedIn Learning. And I'm located out of Austin, so if you ever find yourself in Texas, come on by, say hi.

Well, hey, the world's different now, right? I really love the new OSI model. It's way easier for me to remember, and I get it, and I'm like, "This is perfect." And we've seen this from data center to cloud to containers to serverless.

But security. Security's still those people that you're a little worried about sometimes, and they're not really getting with the new program of how we're living in the new world and how it's structured.

In this book, Agile Application Security, they say, "Many security teams work with a worldview where their goal is to inhibit change as much as possible." Does that resonate with anybody? Do you have a friend who does that at work? Yeah.

So I've had people tell me, "Hey, security prefers a system powered off and unplugged," like we're idiots. Like we don't know that we have to make money. And then security people are like, "Yeah, those stupid developers." And you see there's two silos that are created between these two organizations that they're not talking together well.

Well, Steve Bellovin, he wrote the old book on firewalls in the late '90s, but he recognizes this as well. He says, "We're still seeing all these breaches, but we're protecting the wrong things, and we're hurting productivity in the process."

Rich Mogull, he's really big in the InfoSec space, and he was commenting on this at RSA this year. He said, "A lot of the companies that are here today in the expo hall floor, they're not going to be here in five years." What's happening in DevOps and how it's turning into revolution.

Security's been around for a long time. There's this great book called The Tangled Web, and in it, in the first chapter, it recounts a history of security and says, "We've traded inadequacy for structured inadequacy." And he goes on to say that we do actuarial duties and take out insurance policies.

And we live in this world where you have 100 developers and 10 operations people and one security person. Those are just order-of-magnitude estimates there. But we see this, and we saw this 10-to-1 ratio with Dev to Ops. And what drove us in DevOps originally, we started saying, "Okay, let's start having compassion for the operations folks." I think we need to extend that same level of compassion for security. I think that's going to be the driver of the new way.

Rich Smith, he used to lead security over at Etsy. He says, "A security team who embraces openness about what it does and why spreads understanding." This is really antithetical to ways that security's been operating for a long time.

So we have these two paths, and I want to juxtapose a couple of things for you.

So the old way was embracing secrecy. I think the new way is create feedback loops.

Old way: just pass audit. New way: compliance adds value.

Old way: stability. New way: chaos.

Old way: build a wall. New way: zero trust networks.

We start thinking of instead of certainty testing, let's do adversity testing, and make all those tests happen earlier while we shift left.

Jason Chan over at Netflix, he likes to talk about the paved road, like creating a way that you can move forward safely and security's already built in.

We're going to hit up three of those areas real quick. We're going to talk about feedback loops, how to create chaos, and what it looks like to do adversity testing.

So I think feedback loops are really important, and it's good to do ones that actually matter. So thinking of things like account takeover attempts, or looking at what vectors are being under attack, looking at business logic pieces, and trying to correlate traditional security noise with what's actually important to your application.

Adding chaos. Aaron Rinehart and I talked about this today. We talked about putting chaos in your system and making sure that you are able to assert that you're able to find those problems. Chaos Sling is a really cool project.

Also in that Agile Application Security book, it says, "The goal should be to come up with a set of automated tests for security features that will execute every time the system is built and deployed."

I work on a project called Gauntlet, and it does a lot of those things. I think you can think through security in the pipeline in these three areas. If you said, "Okay, what do I have that I've bundled into my app that's leaving me vulnerable? Do I have any build or acceptance tests and integration tests that catch security issues before release? And then how do you make a feedback loop from operations?"

So if you want the slides and a link to the full talk, if you email me at that email address, I have an autoresponder, so you don't have to say, like, "That was the funniest talk ever," but you can. But it'll automatically get it to you.

So thanks. All right.