Thanks, everyone, for joining us on the Security Influencers Channel. We ask industry thought leaders to share their experiences and ideas about security in the future. We're hosting a series of brief and highly informative interviews with influential security leaders and in 2015, we're talking about the implications of rapid software development and continuous security.
Today I'm thrilled to have with us Jacob West. He's the Chief Architect for Security Products at NetSuite. In his role, West leads research and development for technology to identify and mitigate security threats, particularly in cloud deployments and at the software layer.
West has over a decade of experience developing, delivering, and monetizing innovative security solutions beginning with static analysis research at the University of California, Berkeley and as an early researcher at Fortify Software.
Prior to this role, West served as chief technology officer for Enterprise Security Products (ESP) at HP where he founded and led HP Security Research, which drives innovation through research publications, threat briefings, and actionable security intelligence. Earlier at HP, West served as chief technology officer for Fortify products and leader of Fortify Software Security Research.
A world-recognized expert on software security, West co-authored the book, “Secure Programming with Static Analysis” with colleague and Fortify founder, Brian Chess, in 2007. Today, the book remains the only comprehensive guide to how developers can use static analysis to avoid the most prevalent and dangerous vulnerabilities in code.
In this interview, we discuss Jacob's views on the top security challenges facing companies today. I also ask Jacob about what he thinks about the rapid advance of Agile and DevOps-style development and how he thinks that interplays with the current approaches to application security. On the heels of the Verizon DBIR, we also discuss what is going on with all of these security breeches today.
The following is a brief excerpt of our interview:
Jeff Williams: Let's start out with an open-ended question here: What do you believe the top security challenges are facing companies today?
Jacob West: Well, I have one that I think may be a little bit unexpected, although increasingly, I think people are aware of it. Then there are a few that are a little more more expected, I suppose. The first is the overall talent shortage in security. HP and the Ponemon Institute did research last year that showed that roughly 40% of security roles across the industry were vacant. When you looked at senior roles, managers and senior individual contributors, that vacancy rate was at 49%, almost half.
So kind of compounding every other technical and business challenge we have in the security space is the fact that we're going into battle, going to war with roughly half of our forces missing. So I think that's the biggest challenge facing companies today.
Jeff Williams: So surely, as a forward-looking country and educational system, we are actively pursuing and creating more qualified security engineers then, right?
Jacob West: I think the answer is mostly "No," unfortunately. But let me start with one piece of optimistic data. The optimistic data I've got is that recent research shows that more new faculty positions, more currently open faculty positions are targeting expertise and security than any other particular focus area within computer science. So that tells me that the universities have at least picked up on the demand signal.
The reality, though, is today, the university systems are not doing a great job of teaching security. We looked at the top ten computer science undergraduate programs, according to U.S. News & World Reports. Looking at those in 2014, there were no required security courses for an undergraduate receiving a computer science degree from those schools. So we're talking about folks from U.C. Berkeley, Stanford, MIT who could have been through a four-year program without ever having a course that focused on security. That, I think, sends a very bad signal in terms of the importance that this topic has.
Jeff Williams: It would be like graduating civil engineers without any work in safety or something.
Jacob West: That's absolutely right. If you look at civil engineering programs--this is a comparison I've loved for a long time--the very first material they're confronted with is what happens when their field goes wrong? When there is a failure? When a bridge collapses or something of the like. I don't think we have anything equivalent in computer science.
Jeff Williams: That's funny. Studying failure is a really key part of most engineering programs, but we don't do it enough in computer science, particularly around security. That is a great thought. So what are you following these days? What trends give you hope in getting to a place where we have secure enterprises?
Jacob West: You know, I'm a technologist and I think this happens often in computer science. It's easy to get excited about technical solutions to problems and technical advances. But I tell you, after more than a decade of doing this, the best sign I've seen in terms of really shifting the balance of power here because for the most part, the industry keeps losing against the bad guys, is that boards of directors in 2014, I think, began to treat cybersecurity as a top overall business risk. So not within the IT function of the company, "What are we worried about and where do we apply resources?" But overall, in terms of the continuity and prosperity of our business, where does cybersecurity fall? Often now, for boards, it falls as number one or at least in the top three. I think looking at previous years, that simply wasn't the case. You didn't have that recognition at senior executive levels.
I think that is the single best sign I've seen in terms of really solving the problem or at least taking significant steps forward.
Jeff Williams: It's interesting; that's two topics and two times, you've said, basically, the problem and solution are people.
Jacob West: I think it's absolutely the case. Technology has a huge role to play and I've dedicated much of my career trying to develop innovative technology. I think that's a worthwhile pursuit and I think the industry will benefit greatly from technology. It's, in fact, necessary, but it's not sufficient. Unless we address the people part of the problem and the solution, we're never going to dig ourselves out of this hole with technology alone.
Jeff Williams: We have a lot of technology, particularly in application security. Why do you think Web applications are still the leading cause of breaches?
Jacob West: I think there are two main factors that cause this and obviously, there are secondary ones. But the two big ones are the Web is where we do business today. It's not just technology companies like NetSuite or HP, but healthcare, banking, video rentals. Every part of our lives as consumers and most of our business and our interaction with our users as a company is now conducted over the Web. So custom Web applications are simply the battlefield on which the security struggle of the 21st century is going to be fought or at least the beginning of the 21st century, because that's where the money and the assets are.
Now suddenly, because of this demand, they've been thrust into or given the opportunity to move into positions where they're actually engineers now. They're building real applications, not just sites. They may not have the background in theory and fundamentals that they need to do a good job there.
So I think we're dealing with a workforce that has grown very rapidly and is showing some signs of stress as it grows.
Jeff Williams: Where do you think we are in that cycle? Are we still kind of at the beginning of this? I guess I'm thinking of Marc Andreessen saying "Software is eating the world." I'm wondering where you think we are in terms of the development of the Internet?
Jacob West: I think we're still . . . I don't how to describe this, but we're in the fledgling stages, right? We will look back in 10 or 20 years and think "How did the economy survive in the early 2000s with things as unstable and unpredictable as they were?" I absolutely believe that we are going to get better in sort of order of magnitude or major paradigm shift waves.
But I think we've got some painful years ahead of us. I think we're kind of coming to a climax in some sense of the opportunity for the bad guys and the ability for the bad guys to translate their technical skills into financial gain and the recognition within the industry of that problem. We know we've got the problem; we're not blissfully aware like we were a few years ago. But, boy, I think we've got some tough years, still, to invest before we're on top of solving it.
Jeff Williams: Yeah, I think that's right. I think there's no slowdown in software and security is still pretty basic in a lot of ways.
Jacob West: Look at the adoption of mobile technologies, which I'm first to admit, don't actually change many factors when it comes to security. But there are some differences and we see, I think, both platform vendors and application developers repeating many of the same mistakes we saw with the advent of the Internet and the Web. That's kind of disconcerting because we really do need to learn from those past mistakes.
Jeff Williams: Jacob, you've spent your whole career focused on application security tools and now you're the chief architect across a diverse security portfolio. Where do you think that application security solutions like Static and Dynamic and Interactive, where does that all need to go to better protect enterprise Web apps?
Jacob West: So there's one point that I've made for my whole career here and then there's another one that I've come to more recently. The first one is that we, as an industry, have to be really cognizant of the fact that tools don't replace people. I like to use the comparison of a chainsaw. No one buys a chainsaw, brings it home, leaves it in the backyard and expects to come out the next morning and find all the trees cut down. Likewise, if I'm a lumberjack today and I show up to work without a chainsaw, I'm going to get laughed out of the forest, right? I'm not going to be effective at my job.
So software tools, security tools, in particular, are very similar. The ones that I think have the biggest contribution to make take an expert or a person working in some domain and amplifies their capabilities. Makes them faster or more predictable or more consistent in their work. If we treated software tools the same way, we'd be a lot better off. That's the old piece of guidance.
The new one I've come to is that a lot of the technology we've built up, even when it works the way I've described. Even when it multiplies or amplifies humans' ability. They often, too often, I would say, scale linearly in the number of people required to operate them.
So if I'm doing n lines of code or n applications today with my program and I want to do two times n next year, that's probably going to take two times the number of people I've got operating those tools in many cases right now. I think the solutions that are going to be most effective for the next decade or so, are going to be solutions that don't scale linearly with the number of people required. That amplify in some exponential way, the input of a given person's cycles. I think those are going to be important because they mitigate the talent shortage that we're dealing with and I think that's going to be a multi-decade problem to solve and I think that points to a certain kind of technology that's going to be successful in the same time period.
To hear the rest of my interview with Jacob, click here.