Last month we launched our 2017 CISO Investment Blueprint which analyzes survey responses from 100 security decision makers regarding the current state of application security. In addition to the survey results, we've chatted with several innovators in the security industry to get their thoughts on appsec today and the future.
In the past several weeks we’ve been publishing these interviews, filled with insights around the challenges and opportunities present for security decision-makers in 2017. We welcome your feedback and observations as well! Tweet us or shoot us an email to share your thoughts.
This week's interview is with Dave Farrow, Barracuda's Senior Director, Information Security, who has been instrumental in working with the security researcher community through their bug bounty program.
We also sat down with Dave last week at RSAC to hear about his conference session and his plans for appsec. Watch the video here.
Jason Haddix: How did you get into security?
Dave Farrow: I've been in the software business since 1991, and for most of that time, I was a software developer. About five years ago I made the transition from being a software development manager, into the security business, working with Barracuda. Now I have what might be the best job ever; I spend my time doing things that could land me in jail if I didn't have permission. We get to break into stuff. We get to fix stuff. We get to teach people, and we get to help people develop professionally so that they can make better products.
JH: What have the biggest challenges over the past year been for your team?
DF: In 2016 our security team primarily focused on closing the gap between development and security. It turns out that we speak different languages. Being a developer by trade, I very clearly recall the transition that I went through in learning about security topics and in learning about this sort of hidden underground world around the products that I had been developing.
JH: What have you done to overcome that challenge?
DF: This year we took the information that we gathered from all of our application security work–much of which came from Bugcrowd - and the work we were doing with our development teams and asked ourselves, ‘what can we do to make this subject more real to our developers?’ From there, we decided to launch a training program where we put our developers in the attackers' seat - at the end of the day, software development is the first line of defense. Writing secure code is the very first step in securing your systems, but it's awful to play defense when you have no idea what the offense is going to do. It doesn't matter what game you're playing; if you don't know what you're defending against, you will get beat every time.
Our theory is that 1) offense is super fun, and 2) if we teach the defenders strong offense, the defenders are going to be able to defend better and more effectively and they'll be happier about doing it.
JH: What do you think can be improved in appsec in the near future?
DF: We need to transform developers into security people. It's rare to see developers that are also security professionals, and we all know it's a hard enough job learning how to develop code. Learning how to abuse code to do awful things with it is what hackers do. It's a whole other field of study. And so it's unreasonable, I believe, to expect people to come out of school knowing this.
And for those of us who have been in the field for a long time, there are so many new technologies that didn’t exist when we were in school.It's an ever-evolving field of learning that needs to happen. Until learning those technologies and how somebody would abuse them becomes part of our DNA as developers, we're never going to stay ahead of the attackers. I believe that's really the fundamental transformation that needs to happen with developers.
JH: How has your bug bounty assisted in that mission?
DF: The bounty program that Bugcrowd runs for Barracuda is a great source of application security intel for our products and is the largest volume of vulnerability data we have coming in.
When we were setting out to build our security training program, we wanted to develop a game that would engage our developers and teach key ideas in a fun way.
We went back to the information we found from Bugcrowd, and we looked for trends. We asked 'Is there anything in here that looks like a systemic gap in our developers' understanding?' We built those gaps into the training program. The idea is to take a lot of the pressure out of the security conversation and make it make it about fun. So Bugcrowd's contribution to that was giving us a clearer idea of where some of the gaps were that we needed to fill.
JH: What additional value does the bug bounty provide?
DF: We have a small team, and it's hard to find qualified application security engineers. On top of making sure that our applications function securely, we're also chartered with making sure that our systems and our infrastructure are secure. The value that Bugcrowd brings is access to appsec professionals. I know that I don't have to go out and hire somebody, which could take nine to 18 months to do. I can turn on a bug bounty program and have access to top researchers immediately and get immediate results. It's an enormous value.
JH: Looking to the future. What are your 2017 goals?
DF: Out goal for appsec in 2017 is to keep moving what's already moving. We are making additional investments in our infosec
To learn more about top appsec challenges and opportunities for the upcoming year, download our recently downloaded asset, "2017 CISO Investment Blueprint."
We welcome your feedback and insights! Look out for our next Q&A session next week!