Last week Bugcrowd attended Gartner’s annual Security and Risk Management Summit in Washington, D.C. While I know what a city built on a swamp does to your hair, I’m still happy to return every June to catch up with analysts, customers, and industry peers on the latest security challenges and solutions. This year I wanted to double-down on sessions and analyst perspectives as Bugcrowd prepares for an exciting few months! In this blog I’ll share some key themes, as well as the unexpected ways they surfaced throughout the week.
I’ll start with the closing keynote – not just because I missed the opener, but because the speaker. Nicole Malachowski, (former fighter pilot for the U.S. Air Force and all around badass), shared three bits of advice that happened to map to the themes I noted. I’ve also never really had the opportunity to write a security blog with fighter pilot metaphors so here we go…
Trust: “Honor the wingman contract”
Malachowski used the term “wingman contract” to describe an agreement between pilots flying in tight (~3 ft clearance) formation: ‘’Trust your team to do their job; focus on your own.” In separate sessions on application security and DevSecOps, Ramon Krikken (Gartner), and Joseph Feiman (White Hat Security) suggested similar, albeit it less high-stakes models for the often challenging interface between Security and Development. Feiman eschewed the traditional, post-build handoff process in favor of one that disperses the interaction points across the entire SDL (DAST, SAST, and SCA from coding through deployment). This method builds trust from shared context, while focused automation and integration (aka the autopilot of DevSecOps) reduces friction caused by compound moving parts. Krikken also suggested security leaders consider adapting security testing tools to the Developer’s mindset, forcing a common language and methodology to improve empathy, trust, and the ability to keep eyes forward [on your own task].
A third approach to the “trust” paradox presented over oysters and beers, though it was assuredly no less profound. A Bugcrowd user described his initiative to formalize the “security champion” role within his Engineering team. While common practice involves embedding someone from Security, this customer had a slightly different approach. He identifies an engineer that shows both aptitude and appetite for secure development, and formally charges them with best practice design and enforcement. In this model, trust can almost be implied rather than built from scratch.
Vulnerability: “Create a culture that embraces vulnerability”
Malachowski was quick to clarify the difference between emotional and security vulnerability, but Dale Gardner’s (Gartner) session on vulnerability management made we wonder if both definitions weren’t equally relevant. Malachowski asserted that much can be gained when individuals feel comfortable exposing their weaknesses. To test this, she encouraged her team to share mistakes with their peers. While this is a matter of integrity, it’s also a matter of accountability as it’s important to provide visibility into potential, as well as real risk.
A true vulnerability management system facilitates the same outcome. Gardner noted that adoption of comprehensive vulnerability management systems has been challenged by 1) “Lack of a “comprehensive, end-to-end view of risk posed by applications,” and 2)“No consolidated, “full stack” view of vulnerabilities.” It seems much of the common language issues covered in the section prior would assist with breaking down these barriers, but Gardner suggested that the key is actually in filtering the narrative. I think Malachowski would agree; while it’s true your domestic activities might impact mental acuity in the air the next day, that information is probably not relevant to your peers. Which brings us to our final point:
Risk-Based Approach: “When shit hits the fan, loosen your grip.”
This was my favorite part of Malachowski’s speech. The above advice was bestowed after she struggled to maintain formation through a particularly turbulent patch of air. In a literal sense, Malachowski was advised to avoid overcompensating for every bump. This narrative tracks well with both Gardner and Craig Lawson (Gartner)’s advice for shifting to Risk-Based Vulnerability Management (RBVM). When executed well, RBVM is about creating a framework to account for everything, rather trying to tackle it all at once. I.e, “Don’t patch everything, patch what matters.” [Note: I recognize there was an opportunity for a “don’t patch the rough patches” moment, but couldn’t bring myself to do it. I digress.]
This dogma was further elucidated in Lawson’s three phase threat-centric approach to RBVM– discovery, prioritization, and compensation. Begin with targeted imminent threat elimination- i.e. vulnerabilities a REAL attacker will target. Then move towards generic risk reduction as time and resources allow.
Tools for the Journey
While Malachowski’s advice for strengthening teams can be quickly actioned by most organizations, strengthening security posture is a bit tougher. Luckily, a variety of tools and solutions are available to help organizations do more with less. Segmentation and 2FA solutions can prevent and compensate for vulnerability exploitation, while IPS/WAF solutions can enable vulnerability patching where appropriate. To help organizations immediately multiply their capacity for vulnerability discovery and prioritization, organizations are increasingly turning to managed crowdsourced security programs, like those offered by Bugcrowd.
For more information on how Bugcrowd can help augment your existing security team, reduce barriers to collaboration, and expedite remediation in a risk-based approach to vulnerability management, contact us here.