English Portuguese

Could a company revolutionize the security industry? Probably

Just like Uber pointed a sword to taxis, Kickstarter to banks, Airbnb to hotels, could a company do the same in the security industry? TL;DR: Probably, but that won't be easy and I can't see it happening soon.

Before dig into this matter it's important to understand what makes the security industry alive. And it's precisely this: 'wherever there is an asset, there is a risk'. This short and simple quote created an industry that is too broad to be broken in a few hits. Not because of its size, but because of its diversity. Assets can take multiple forms, thus the protection methods change accordingly, leaving no room for one-size-fits-all solutions.

Security today contemplates laws, compliance, application security, technology risks, non-technology risks, education, malware hunting, malware analysis, forensics, and the list goes on and on. If it could be revolutionized, that would happen in niches. So let's talk about my favorite niche, application security.

In application security, as security engineers, we aim to protect not only the data in the database, but the company's reputation, the website itself and more. If we think about the root cause of all problems in those items, what would be?

Yeah, you probably guessed. The human factor. On both sides, attacking and defending. So what does it means? It means that if we could prevent the human factor from acting we could secure things.

I believe that's completely pointless to try to convince all attackers to stop, it's simply unreal. You can try to prevent some, by finding girlfriends for them, for example, but ultimately the human nature is rotten. Just think about robbery and murders. We didn't fix them so far, which are way more severe than protecting some bytes, in a humanistic perspective that is. Security has a long way to go.

On the other hand we could prevent defenders from messing up. That's for sure. And it would be better without defenders, i.e., humans, at all. Or if we could at least reduce what they need to do the chance of error would drop dramatically.

Ok, so how do we reduce or completely remove the human factor when building applications? One way is to delegate the human activities. But to whom? Again, it's a small part of the big picture, but it seems to very promising: Serverless Applications.

Serverless applications are applications that require servers, but you don't need to manage them, thus "serverless". So reducing this one task, to manage the server, means a reduction of 50% of the problems. The other 50% lies on the application ecosystem.

But Anderson, it's not solving the problem, it's delegating. Someone will have to deal with it in the end of the day.

Yes I know, and it will increase the responsibility of the Serverless Infrastructure provider. Now the challenge is to find skilled people to protect it. They may fail, of course, but that's a good start.

Just think about the recent list of 0 days, such as Heartbleed. One year after its discovery and big companies were still vulnerable. That means that leaving security decentralized is actually worse.

Whenever a 0 day appears only few companies patch "in time". In quotes because we never know who were exploiting such 0 days before they become public.

The bottom line is that if we could delegate tasks to someone or some company that could handle the security, we would be reducing the human factor from our equations, thus leaving less room for messing up in the defense.

The challenge for serverless application providers then is to drive adoption to revolutionize the industry. But many won't change the way they program, many applications are only legacy without maintainers and some will change and prefer to go back because of the benefit X,Y or Z of their favorite development framework. Or for whom you delegated isn't fulfilling the expected service level agreement. Moreover the ecosystem may not be mature (and it isn't). That's why I don't see it happening soon.

For now we are much dependent of the human factor. And that's too bad.

"If you decide for a career in web security, you can literally never run out of work. Vendors, specifiers & developers reliably got your back" @0x6d6172696f

Thank you.

Share the knowledge :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News