Virtualization Technology News and Information
IOActive 2020 Predictions: Interest In Secure Design Practices Is Increasing Leading To Two Predictions

VMblog Predictions 2020 

Industry executives and experts share their predictions for 2020.  Read them in this 12th annual series exclusive.

By Brook Schoenfield, Advisory Services Director at IOActive

Interest In Secure Design Practices Is Increasing Leading To Two Predictions

There exists a trend towards heightened awareness in secure design practices, particularly, the attack and defense analysis technique, threat modeling. This trend implies two predictions for 2020 and beyond. First, security practitioners will need to understand DevOps software development practices to ensure that security can be designed into software from the start within a DevOps process. DevOps offers developers enormous productivity and operational gains. However, DevOps processes are vastly different than the older development models around which much software security thinking, and particular, secure design and threat modeling, have been conceived. This discrepancy leads to one prediction. At the same time, the increase in desire to learn about and implement threat modeling (i.e., secure design) also has implications about the types of software flaws that we will be seeing as we gaze into the future.
  • Infosec doesn't understand Modern, DevOps development and the huge shift it actually entails. Hence, serious software weakness in releases will continue to bedevil everyone.

DevOps offers a sea shift in the way that software is built. Development organizations continue to deploy DevOps build/release/run technology trains at a dizzying rate. They do this in order to reap rewards of increased pace of delivery, agility, better feedback on releases, testing gains, etc., while also embracing a different mindset that favours high collaboration and communication between differing aspects of a software development process. Common in DevOps is a myth that everything, including all security, can be automated. This pervasive DevOps myth is a perfect opportunity for security's participation and expertise. Security can advise on where automation can be brought to bear for better security while at the same time providing required human security analyses.

Meanwhile, back at the security ranch, a survey of existing Secure Development Life cycles (SDL or S-SDLC) shows continued linear, waterfall thinking that lies in fair opposition to the practices and goals of DevOps. That means that security practices are not synchronized with DevOps fostered infinite loop, highly parallel development practices that don't take place in discreet "phases" or activities, but once started, continue all tasks in parallel, coordinated around a hub of shared goals and high communication. The result of security's holding on to obsolete development practices will be continuing unnecessary friction between security and development, and DevOps missing needed security expertise, especially to prevent design weaknesses that leave software open to exploitation.

  • Secure design Based on Threat Modeling

Through the technique of threat modeling has finally started to gain industry awareness, the resilience gained from threat modeling lags several years from initiating the practice. So, while the coming year probably won't see a marked increase in more self-protective designs, software makers are going to be applying the technique more and more. Succeeding years should start to reap the benefits of this work over time. 

At least by the publication of NIST 800-14, in 1996, it has been known that software will exhibit better security protection and resilience behaviours when security is considered as a part of design activity. Since, in those days, software development was largely thought of as a linear progression, NIST called for "early" security consideration. 

Today, with DevOps, design is one of a set of linked and dependent development activities that often occur in parallel to each other. Still, it remains critical to consider the potential attackability and defenses that must be built during software design activity. Analyzing for attacks and defenses is termed, "threat modeling". Over the last few years, the importance of threat modeling has achieved a much higher level of importance and visibility for software makers. Many software development practices are at the very least, thinking about threat modeling, if they haven't yet initiated a threat modeling practice. Threat modeling and the resulting more attack resilient software should ensue.

For 2020, because secure design predicated on threat modeling is a long term endeavor with a significant, sometimes multi-year lag from practice to release and effect, we wouldn't expect a huge decrease in the number of design-related flaws discovered during the year. However, over the next 3-5 years, organizations that have instituted a secure design programme based upon threat modeling should see their number of design issues decrease significantly. As more organizations adopt threat modeling, the software industry will then start to reap the benefits of secure design overall.


About the Author

Brook Schoenfield 

Prior to joining the IOActive Advisory Services team in February, Schoenfield worked at McAfee LLC (formerly Intel Security Group and McAfee, Inc.) as the Principal Engineer leading product security architecture. In this capacity, he provided strategic technical leadership, training and mentoring 80 security architects and a team of over 120 professionals. He also served as Director of Product Security Architecture at McAfee, where he led a 60 person virtual architect team to cover all aspects of product security, from coding and testing, to secure design and architecture, including SaaS operations and vulnerability discovery, vetting, and disclosure. Prior to McAfee, Schoenfield spent over 11 years at Cisco as a Senior Security Architect, where he was originally hired as the company's first application security architect and charged with leading the application security team.

Published Friday, November 08, 2019 7:22 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2019>