This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1. CONTRAST SECURITYS INFLUENCERS CHANNEL Episode One: Jonathan
Chow and Neeta Manier Live Nation Entertainment
2. JEFF WILLIAMS Whats the one thing that deeply bothers you
about the way people practice application security today?
3. NEETA MANIER for me, its that were finding vulnerabilities
that existed 10 years agowere still not getting good at fixing
[them].
4. JONATHAN CHOW Ive been involved in part of an applications
program here for 12 years now, and were still having developers
creating the same flawsso I think the education piece is whats
missing. Weve got to stop making the same mistakes.
5. JEFF WILLIAMS I couldnt agree moreI wrote the first version
of the OWASP Top Ten in 2002, and its essentially the same stuff in
there still after 12 years. Its really not changing, so thats a bit
of a failure for the security industry.
6. JEFF How do you stay on top of your portfolio of
applications, the developers writing new code, and new
vulnerabilities coming out?
7. JONATHAN Its almost a job unto itself.I try and maintain
good relationships with our business partnersbecause in some cases
theyll go outside approved IT folks to get it done cheaper, faster,
better. And thats a primary driver for rogue work happening.
8. NEETA Weve just hired what we call Business Security Leaders
so theyre our liaison.were just trying to make [security] more
visible in those areas.were trying to empower the teams to do that
better themselves.
9. JEFF Interesting. I like that. Ive been studying the ways
that industrial factories monitor their complex systems.What Im
wonderingIt sounds like what youre doing is like a human
instrumentation where youre gathering data through relationships
with various teams.
10. NEETA I think its really importantscanning technologyand
its important for that to be well integrated into the tools we
already use. Any SDLC process, whether youre doing QA or builds,
trying to inject security into those particular tools is going to
be important for any instrumentation.
11. JONATHAN
12. JEFF
13. JEFF WILLIAMS How do you feel about your visibility into
the apps and other systems that you run?...What do you do to fill
in the gaps and make it look up-to- date?
14. JONATHAN What Neeta said earlier was not enough bandwidth.
Its true for every IT security shop that Ive ever talked to or been
a part of.Youre always going to be overwhelmed. Youre always going
to be outnumbered.
15. JEFF That strikes me as exactly what needs to happenthe
security experts really need to get out of the way and enable the
development teams to do these things for themselves with automation
and guidance and training.
16. NEETA I remember working at GE and having that- youd have
such a long time between when an application requirement came out
and when it was releasedat an agile environment, if youre not there
then you miss it and its kind of harder now to have that
position.
17. JONATHAN Its actually the worst of all worlds if you miss
it becauseyou either slow them down and they wont come back, or you
interrupt their process and they see you as incompetent.We risk
becoming the proverbial dinosaur where we dont have a place in the
new world.
18. JEFF Do you feel thats the only pressure on security
groups? The move to Agile and DevOps kinds of organizations? Or are
there other things that are changing the way people do security or
security information?
19. NEETA I think theres also a positive change. I think that
application security is a pretty hot topic now, more than it was
years ago, its more visible. We joke that we use security breaches
as our leverage to convince teams to do more.
20. JEFF I know weve broken out of the echo chamber when my mom
calls and says, Whats going on with this HeartBleed thing?
21. JEFF I want to know: what are the key metrics that you want
to know so you can sleep at night?
22. JONATHAN A raw number of flaws in applications is a key
metric for me.
23. JONATHAN I would love to get down to the point where I can
go to a specific developer and say, You know, youve been making
cross-site scripting errors since 2006. Youve made it January here,
you made it in March here, you made it in October here, I need to
teach you something.
24. JONATHAN If we can get to that point where the developers
and development teams and outsourced development shops can accept
the fact that security teams are here to make them better at their
jobsthen I think it will gain more momentum.
25. NEETA I think that any metrics that help us understand the
progress, trending metrics, from point A to point BI think thats
been really helpful for us to say to a team, Congratulations!
26. NEETA On the educational side, vulnerabilities by
technology so we can figure out, What should we be training our
teams on?
27. JEFF WILLIAMS WITH JONATHAN CHOW AND NEETA MANIER