Could a company revolutionize the security industry? Probably
Just like Uber pointed a sword at taxis, Kickstarter to banks, and Airbnb to hotels, could a company do the same in the security industry? TL;DR: Probably, but that won't be easy, and I can't see it happening soon.
Before diving into this matter, it's important to understand what keeps the security industry alive. And it's precisely this: 'wherever there is an asset, there is a risk.' This short and simple quote has created an industry that is too broad to be broken down with just a few hits. Not because of its size, but because of its diversity. Assets can take multiple forms, and the protection methods change accordingly, leaving no room for one-size-fits-all solutions.
Today, security encompasses laws, compliance, application security, technology risks, non-technology risks, education, malware hunting, malware analysis, forensics, and the list goes on and on. If there could be a revolution, it would happen in niches. So let's talk about my favorite niche: application security.
In application security, as security engineers, we aim to protect not only the data in the database but also the company's reputation, the website itself, and more. If we think about the root cause of all problems in those areas, what would it be?
Yeah, you probably guessed it. The human factor. On both sides, attacking and defending. So what does this mean? It means that if we could prevent the human factor from playing a role, we could secure things.
I believe that it's completely pointless to try to convince all attackers to stop; it's simply unreal. You can try to prevent some, for example, by finding girlfriends for them, but ultimately human nature is flawed. Just think about robbery and murders. We haven't fixed them so far, which are way more severe than protecting some bytes, from a humanistic perspective. Security still has a long way to go.
On the other hand, we could prevent defenders from making mistakes. That's for sure. It would be even better without defenders, i.e., humans, at all. Or if we could at least reduce what they need to do, the chance of errors would drop dramatically.
So how do we reduce or completely remove the human factor when building applications? One way is to delegate human activities. But to whom? Again, it's a small part of the big picture, but it seems very promising: Serverless Applications.
Serverless applications are applications that require servers, but you don't need to manage them, hence the term "serverless". By reducing this one task of managing the server, we can address 50% of the problems. The other 50% lies within the application ecosystem.
But Anderson, it's not solving the problem; it's delegating. Someone will have to deal with it at the end of the day.
Yes, I know, and it will increase the responsibility of the Serverless Infrastructure provider. Now the challenge is to find skilled people to protect it. They may fail, of course, but it's a good start.
Think about the recent list of zero-days, such as Heartbleed. One year after its discovery, big companies were still vulnerable. That means that leaving security decentralized is actually worse.
Whenever a zero-day appears, only a few companies patch "in time." In quotes because we never know who was exploiting those zero-days before they became public.
The bottom line is that if we could delegate tasks to someone or some company that could handle security, we would be reducing the human factor in our equations, thus leaving less room for errors in defense.
The challenge for serverless application providers, then, is to drive adoption and revolutionize the industry. But many won't change the way they program, many applications are only legacy without maintainers, and some will change and prefer to go back because of the benefits of their favorite development framework. Or the service level agreement with the delegated entity may not be fulfilled. Moreover, the ecosystem may not be mature (and it isn't). That's why I don't see it happening soon.
For now, we are still heavily dependent on the human factor. And that's too bad.
"If you decide on a career in web security, you can literally never run out of work. Vendors, specifiers & developers reliably got your back" @0x6d6172696f
Thank you.
