The Security Skills Shortage And Its Moving Target Problem

essidsolutions

The world of applications is constantly disrupted. Security skills have to evolve as well. However, they are constantly subjected to a moving target problem. Abhay Bhargav, the founder of AppSecEngineer, discusses why you need to recognize and address it before it derails your security program.

There’s no denying it. Application Security is important to your organization. Critically important. Besides, there’s customer demand for it. There are regulatory requirements and Executive Orders on Supply-chain security and reputation loss to think about. 

You decide that you need to hire. Needless to say, hiring is hard. There’s not enough supply, and there seems to be endless demand from many companies like yours fighting for, or fighting to retain great application security talent. 

You finally find someone suitable. They have a background in Application Security. They’ve done Web Security Pentesting, and probably have an OSCP. They understand AppSec vulnerabilities well. They really know how to work with developers to get them fixed. But they know how to exploit them better. Either way, they are now on-boarded into your organization, and they’re aching to get started with work. 

Quickly, to their chagrin (and if you’re a responsible security leader, yours as well), they realize that they are quickly overwhelmed. They’re working with multiple product teams. Each product team has a different style of developing and delivering apps. The variables are truly mind-boggling. 

  • Some teams deploy on a particular Cloud provider and deploy typical Linux servers. They do some automation for deployment with Ansible or some other Infrastructure-as-code solution. They haven’t heard of Static Analysis. They don’t scan their third-party dependencies for security flaws. All they do is just deploy everything into a staging environment two days before release. They sit on this hapless AppSec pro until they are done with the Vulnerability Assessment. If there are findings, they either argue against the relevance of the findings or they figure out a way to get their Product Management to accept the risk. 
  • Then there are other teams that are deploying apps on some “unheard of” newfangled serverless platform. They are way more attuned to automated deployments. They even seem to be receptive to security practices, but they deliver code continuously, and no one seems to fully understand how their stack works, let alone if it’s secure. 
  • Then there’s another team that has (without any security sign-off) deployed their workloads on Kubernetes, hoping that this goes undetected by “pesky security people” for as long as possible.

Tackling Multiple Variables

As you probably realize, the variables are truly mind-boggling. Different stacks, Different deployment environments, different levels of security knowledge and maturity, etc. Besides all this, now there’s cloud security to contend with. There are ten recursive rabbit holes worth of complexity right there. 

You now have what is called a moving target problem. This means you have the following: 

  • Central (possibly siloed) security team(s) 
  • Little to no knowledge of the stack. Basically, have an awareness of one part of the stack
  • Come from a largely offensive background. Thank bug bounties and the exploit-obsessed security industry for that.
  • But they are dealing with more “dev-centric” stacks like Cloud, Containers and Kubernetes. This needs a different mindset. 
  • No real involvement from engineering and product teams in security. 

Your problem can be summed up by this amazing Mark Twain Quote: 

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”

You realize that what you need, at the very least, is: 

  • Self-service security that can be managed by the product teams. This means that they need systems and training to get this done. 
  • Security Personnel/Teams should be used in a consultative manner. They cannot be directly responsible for granular security concerns across multiple product teams.
  • Security Teams need to be trained and made capable of understanding modern deployment environments and some of the nuances of attacks and defenses against these environments. 

The pace of change in application development is exceedingly high. The landscape is immensely diverse. The shortage of talent is disturbingly low. This leads to a constantly moving target in terms of your being able to secure your applications. 

See More: Why Is Optimism a Critical Security Skill?

How to Manage the Moving Target Problem

Let’s look at some quick wins and strategic ways to get over the Moving Target Problem.

  • Systems over Goals: Success in security is all about building repeatable and (hopefully automated) systems. Systems can range from introducing secure defaults across the application source to maintaining an updated inventory and scanning for vulnerabilities in third-party dependencies to post-deployment security verification of deployment environments. Systems alleviate the burden on humans. And we’re always short of human effort and energy. Building systems will ensure that people can focus their energies on the important stuff.
  • Encourage and guide career growth: As a team leader, it’s essential to be a mentor to your team members. Personal career growth is the single biggest motivator for employees to be more proactive in the workplace. There are a couple of ways you can help guide your team’s individual career paths:
    1. Make horizontal career growth easier to achieve. This opens up the possibility for, say, a developer with an inclination for security to transition into a new role as a security engineer. Employees that know they can switch to roles that best suit them are more willing to explore and respond to internal initiatives.
    2. Update your team with relevant skills. By far, the best response I’ve seen from teams is when employees get to learn skills that help them do their jobs better. Instead of a ‘spray and pray’ approach, upskill your workforce in the specific areas that are relevant to their jobs, or add a new dimension to their current roles.
  • Create a Culture of Threat Modeling: Threat Modeling is a practice of systematically identifying threats to the system, often even before these threats have come to life. Threat Modeling is a process that is best done as a cross-functional team. Senior Devs, Security Personnel, Product Managers, etc., come together to execute a Threat Model. This, if done well and often, can result in a massive culture shift. Threat Modeling, for one, increases the overall security awareness of the team(s). In addition, it gets people thinking about security from the early stages of building new features or ideating new implementations for the product. 

The Moving Target Problem is a very real issue happening in large and small companies. And in a time when security talent is hard to find and harder to retain, it’s imperative to recognize this issue early and take proactive steps to get ahead of the problem. 

How are you plugging the gap in the security skills shortage? Share with us on  FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON SKILLS AND CAREERS: 

Image Source: Shutterstock

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA