As software is eating the world, every company is becoming a software company. This doesn’t mean that every company is shipping software products, it means that services and products in every field are becoming increasingly driven, powered, and differentiated by software. Let’s explore what that will do to how cybersecurity is practiced in enterprises of all types.
Peter Drucker famously said that “Culture eats strategy for breakfast.” There have been two large cultural shifts in software engineering over the last 20 years that created the successful strategies behind how software is eating the world. First, there was Agile (2001). In response to the inefficiencies of classic “waterfall” software development, Agile focused on breaking down the barriers between software requirements, development, and testing by having software development teams own their roadmaps as well as their quality. Separate product management organizations evolved into product owners working directly with the software team. Similarly, separate quality assurance organizations evolved into a focus on building quality into the software development process. This should remind us of how we talk about needing to build security in, but most importantly, this change was effected by software teams themselves vs. forced onto them by a separate security organization. There is a lesson to be learned there.
Next came DevOps (2009), which brought the agile mindset to server operations. Software teams now began to own their deployment and their uptime. Treating software teams as the end-user and customer has driven the replacement of traditional ops with the cloud and replacing the traditional stack with serverless models. Ops teams evolved into software teams that provide platforms, tools, and self-service infrastructure to internal teams. They provide value by increasing internal teams’ productivity while reducing costs to the entire organization through economies of scale and other efficiencies. When a cross-functional team owns their features, their quality, their deployment, and their uptime, they fully own their end-to-end value stream. Next, they will evolve to also own their own risks and fully own their end-to-end impact.
There are two big shifts involved as teams begin to own their end-to-end impact: software teams need to own their own security now and security teams need to become full-stack software teams. Just as separate product management and quality assurance organizations diffused into cross-functional software teams, security must now do the same. At his re:Invent 2018 Keynote, Amazon’s CTO Werner Vogels proclaimed that “security is everyone’s job now, not just the security team’s.” But if security is every teams’ job, what is the security team’s job? Just like how classic ops teams became internal infrastructure software teams, security teams will become internal security software teams that deliver value to internal teams through self-service platforms and tools. Security teams that adopt this approach will reduce the risk to the organization the most while also minimizing impact to overall productivity. In this talk, we’ll explore how this is already being done across high-performing companies and how to foster this security transformation at yours.
Dino Dai Zovi is a Staff Security Engineer at Square. At Square, Dino currently oversees security engineering for Cash App and had previously led the development of the company's mobile tamper detection and remote attestation platform, helping Square launch payments in Chip and PIN markets. Dino is a security industry veteran who co-founded Linux server attack protection vendor Capsule8 and security research firm Trail of Bits. He has also held early leadership roles at Endgame, Two Sigma Investments, and Matasano Security. He began his cybersecurity career in Red Teaming at Sandia National Laboratories and penetration testing with @stake. Dino is best known in the security community for winning the first PWN2OWN contest at CanSecWest 2007; presenting his security research at leading conferences such as Black Hat, RSA, and DEFCON; and co-authoring the books “The iOS Hacker’s Handbook,” “The Mac Hacker’s Handbook,” and “The Art of Software Security Testing.” As a long-standing member of the Black Hat community, he is also a member of the Black Hat Review Board as well as a co-founder, organizer, and host of the annual Pwnie Awards. This year will be Dino’s 20th consecutive year attending Black Hat.