Strategies for building more secure products, navigating the unique challenges of open-source development, and growing the pipeline of outstanding cybersecurity talent topped a packed agenda last month at the third annual CyberSEED conference and hackathon, hosted by the Comcast Center of Excellence for Security Innovation (CSI) at the University of Connecticut.
When we launched CyberSEED in 2014, in conjunction with our colleagues at the University of Connecticut, we had no idea how fast it would grow, but a quick glance at the headlines reveals how critical cybersecurity issues have become.
CyberSEED seeks to address cybersecurity issues in two ways:
- bring together leaders from industry, government and academia to discuss challenges, opportunities and best practices; and
- provide an interactive, competitive environment for the cybersecurity superstars of tomorrow to test their skills against peers from across the country.
CyberSEED takes place over two days with panels, keynotes and discussions running along parallel tracks with the hackathon events, which run well into the late evening hours.
This year’s keynote speakers touched on a range of issues, including how to prepare for the challenges of securing IoT devices. Discussions included deep dives on IoT ecosystems; challenges for service providers and consumers; long lifecycles; issues around patching and upgradability; diverse deployment models; and non-standard and legacy communications protocols. There was a lot to take in, but three areas – DevOps, open source and workforce – stood out as critical. The integration of security within the development and operation lifecycle led to interesting discussion between two valid, but different approaches:
- Building a Culture of SecDevOps: The first approach posits that programmers should be educated, empowered and incentivized to approach security as a cross-functional concern that should be taken into account from the inception of a project and all the way through its deployment. The catch phrase that best describes this approach is "build it in" or “security by design” rather than "bolt it on." Security (or the lack thereof) arises as a result of issues in designs, architectures, hardware, and software at scale as well as micro-implementation issues (e.g., buffer overflows!). Programmers who understand this and are suitably incented to pay attention to security concerns will be motivated to produce more secure products. This approach requires a cultural shift within development teams that moves away from classic productivity metrics and instead towards metrics that reflect quality in terms of security metric attributes. This shift can occur within the context of agile methodologies that already integrate development and operations concerns, aka DevOps, to give rise to DevSecOps. The concept of DevSecOps leverages the Agile and DevOps work already being done at companies like Comcast, and brings security specialists early on in the design process and operational planning to influence and alter decisions that have security implications. As in existing DevOps models, experts would form teams of peers working in tightly coupled formation with the usual practices behind continuous integration and continuous delivery models.
- Keeping DevOps as DevOps: The second approach of thought posits that most of the software developers who work in DevOps models will have difficulty mainstreaming security awareness into existing DevOps models. Advocates of this premise propose keeping security teams and DevOps teams in separate silos, so that developers can continue operating at DevOps speed, and security teams can work in parallel processes to analyze the code from DevOps teams and automatically wrap and intercept, at runtime, calls to libraries that are liable to security issues.
Each approach provides benefits and drawbacks. At Comcast, we have focused on the DevSecOps model, which we think requires a little more upfront work with teams, but should result in better, more secure products. Both approaches have advantages and advocates, and it will be interesting to see how both evolve.
Other topics included:
- Evolving Security for an Open Source Ecosystem: Open-source software offers a number of significant advantages to enterprises of all sizes, but it also raises its own unique challenges for security engineers. The distributed nature of the open-source development process, coupled with the speed with which new code is developed, requires much greater agility on the part of security engineers. These software modules often provide generic yet valuable functionality, and improving their resilience against attacks by fixing bugs would benefit every company currently using them. The Cyberseed 2016 participants discussed the possibility of creating a more formal, consortium-driven "bug bounty" program for open source software, which could encourage open source communities to more actively submit, track and ultimately fix defects in key software modules.
- Creating Tomorrow’s Cybersecurity Workforce: One of the biggest challenges in cybersecurity today has nothing to do with malicious code or security vulnerabilities. The demand for talented cybersecurity professionals is growing at a breathtaking pace, and we need more programs like UCONN’s CSI to help keep up with it. Events like the CyberSEED hackathon are extremely valuable, but we’re not seeing them at the scale necessary to keep up with the growing need. Participants discussed a promising project by the National Science Foundation and Intel that will, among other things, develop a standard cybersecurity curriculum for universities. The multi-year effort will be finalized with the ACM 2017 Cybersecurity Curricula Guidelines report next year. Additionally, speakers touched on the difficulty to attract students to the STEM fields in general and the consensus was to promote STEM at the earliest educational stages, starting no later than high school. A special emphasis was placed on the diversity of this workforce and the observation that there are still untapped pools of diverse talent. A clear agreement emerged on the importance of introducing cyber security courses throughout college-level curricula (and Computer Science, Computer Engineering and Electrical Engineering curricula in particular!). Everyone agreed that it is not enough to make the technical talent cyber-aware, the program should be extended to all other non-technical related fields.
One thing that CyberSeed helped to make abundantly clear is that we have a lot to do as a global cybersecurity community. But seeing more than 50 schools coming together with their bright and focused student teams to tackle a series of increasingly difficult challenges made me confident that we’re going in the right direction.