I had the pleasure of attending this year’s Locomocosec on the beautiful island of Kaua’i. The conference was in its second year and was a 3-day single-track conference focused primarily on product security. There was a perfect mix of companies represented in the 20+ speakers, 150+ attendees, and 10+ sponsors all who are very passionate about product security. Not to mention it was a very family oriented conference full of inclusion.
Locomocosec was by far one of the most powerful and engaging software security conferences I have attended in quite some time. The talks ranged from very technical to process-oriented talks. The talks were all excellent, and the conversations between sessions were even better. James Wickett opened the conference with an intriguing keynote talking through what he is proposing as MEASURE for having a successful DevSecOps organization. This keynote set the stage for a very focused conference on improving product security of which I walked away with three key takeaways.
1. Enable developers to be self-sufficient in finding and fixing security vulnerabilities
The development community continues to grow. Some numbers show there are approximately 23 million developers in the world. These developers are writing everything from operating systems, to sensitive financial systems, to fun mobile apps that your kids are playing every day. With so much code being written every day it is impossible to scale security without enabling our developers to find and fix issues on their own. The only way to do this is to build process into developers’ current pipelines that includes tools such as Contrast Assess and Protect.
The cyber security shortage is real, let’s build developers up to be part of the security process and be able to find AND fix security vulnerabilities while the cyber security professionals dig into the harder problems that tools and process have yet to solve.
2. We must walk WITH our engineers.
The days of just saying “no” as a security professional are long gone. With the recent DevSecOps movement, job responsibilities and roles are becoming blurrier when it comes to creating great software that is secure. There is more reliance on code to be written fast and security to be built into the process to not slow down the build and deploy process (sometimes occurring multiple times a day). Security is more important than ever to provide the tools, and processes engineers need to not slow them down to meet the ever-demanding business demands. As security professionals, we risk “gating” issues more than ever if all we do is say no and create blockers for our engineers. Gating occurs when security creates a process with a roadblock, and engineers find ways around it to not slow them down. It was very apparent listening to speaker after speaker talk about the relationships between security and engineering that we as cyber security professionals must walk with our engineering peers and in some cases even write a little code. Learn to say “let’s figure out how we can make that work in a secure way” versus “No, you must do it this way.”
3. Stop blaming speed
Development is fast, really fast, and it will not slow down and wait for security to catch up. We will continue to quickly develop insecure code because the economy still says that insecure applications still make money more quickly than it has traditionally taken for secure applications to be built and be ready to ship. Tools, people, and automation will help enable security to keep up; we must embrace new tooling technologies and stop our traditional blocking practices.
Product security practices will continue to evolve, and the lines between development and security continue to blur. I highly recommend Locomocosec. Make sure to put it on your list for attending in 2020.