Building software for resilience (and why security teams need a good bedside manner)
The difficulty of building security into the application development process has become notorious in the industry. We spoke with the Denim Group’s John Dickson (Principal) and Dan Cornell (Chief Technology Officer) about how their company addresses this challenge.
The Denim Group takes its mission to be helping other companies build more resilient software that they can deploy on the web and on app stores without having to worry (worry unduly—there’s always some level of risk) about being attacked and hacked. Their ThreatFix product helps fix applications after they've been discovered to be vulnerable.
Their typical customers are organizations that build large scale applications internally—mobile, web, and IoT apps are all addressable. They begin by helping customers create a software development lifecycle that’s repeatable and that addresses security. “We help train developers so they make the least worst mistakes, and we do code reviews. We also help automate the entire process of application vulnerability resolution with ThreatFix.”
The Denim Group feels one of their differentiators is that “by background we're all developers. We understand what it takes to fix applications.” They think this has given them “a great bedside manner.” They’re not penetration testers who’ve learned some application development. Instead, they approached the market from the other direction.
At Black Hat, they’re struck by the extent to which security practitioners are still doing applications security “in the bug finding mode,” which the Denim Group considers to represent yesterday’s approach. Successful app security teams reach out to developers, put tools in their hands, and focus on actually driving vulnerabilities through to remediation.
We asked how the market for application security has changed over time. ”Certainly,” they said, “the awareness of it has. Initially our work was only leading financial organizations. They still lead--they have that immediate financial feedback loop. Certain segments of commerce, of the entertainment industry who've suffered acute pain. Healthcare lags behind. They're starting to get the incentive to change, but folks in healthcare are still dependent on vendors, which makes for a slower response cycle.”
Not all customers find it easy to invite a company like the Denim Group into their code. “We're typically brought in by security teams, because they understand the nature of the risk. From a skillset standpoint security people realize they don't have the background in development. It's natural for security teams to bring in outside testers. People know how to purchase that. In code-level engagements, that's where we see the resistance from the development teams. They'll cry we can't show them this, we're going to patent it, it's intellectual property. Of course there's intellectual property that must be handled carefully. But often there's resistance to being inspected. ‘We didn't know security was expected,’ they’ll say. ‘It's unfair for you to come in now and impose this new requirement on us.’ One of the strengths we have is our background that gives us empathy with the developers. We understand what it's like to have requirements imposed on you at the last minute. A lot of the tenor of the security community toward developers is negative. Things would be better if stupid developers didn't write bad code. We think that finding vulnerabilities is easy, but fixing them is where the real value lies. That's where you reduce the risk to the organization. It's not over when you tell the company about the vulnerability. It's over when they look at this and decide they'll accept the risk, or when they say they need to fix this, and implement some countermeasure and get it into production. Application security is ultimately going to have to be solved by a development team.”
The scale of the cyber security space is growing, the Denim Group thinks. The awareness of the problem has diffused to the general public, but the key stakeholders still face challenges in communicating with the public. Some of the challenges are driven by internal cultural issues. Organizations are still groping with devops and agile development, and a lot of that groping is being done in the business vertical. More devops and agile development in highly regulated industries “will bring a clash of cultures we have yet to see.”