1. THE SECURITY INFLUENCERS CHANNEL HOSTED BY JEFF WILLIAMS, CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Two: Bruce Brody, Cubic Cyber Solutions

2. JEFF WILLIAMS How is application security different in the government sector versus the commercial sector? 3. BRUCE BRODY In the government sector, theres a tremendous amount of interest in the security of an application when it comes to a variety of different operating environmente.g. Classified vs Unclassified operating environments. 4. BRUCE If its going to be in a classified environment, then some very rigorous tests and evaluation need to occur before that application is approvedin unclassified environments, the application does have to withstand some scrutiny and some testing, but its not nearly as rigorous. 5. JEFF WILLIAMS I was under the impression that most applications had to get their code reviewed. Is that true for most application, or just a subset? 6. BRUCE Well, a subset operates specifically in very sensitive and classified environments. an unclassified environment has to go through and Authority to Operate processand thats a little less scrutiny on the application and more on the system level performance. 7. JEFF Have you noticed a change in software development in government to more ad-hoc, DevOps-style software development? 8. BRUCE Like all programs in government, the intent is there to move in that directionthere are some things going on with the Department of Homeland Security and across various agencies to put some good processes, some better processes, more agile processes in place. Those are moving along. 9. JEFF Ive seen youve written that theres no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Why do you think continuous monitoring is so important? 10. BRUCE The government has long had an approach where periodic monitoring was okay [and] periodic scanning doesnt give you the ability to take a look at a system thats constantly changing and say if its as secure as when you originally authorized it to operate. 11. BRUCE You need to turn periodic into a continuous look at these systems, so that you know that the controls you have put in place to elevate the security level of the systems are continuously in place and operating accordingly. 12. JEFF If you want to actually do [application security] and keep things secure, youve got to be doing it continuously. 13. BRUCE Its a 24/7, 365 kind of approach to security that will [cause] the overall security posture of the federal government to improve. 14. JEFF What about the expense of doing things continuously? 15. BRUCE Well, some people have argued that it takes a lot more money to do application security continuously. But if you do it right, continuous monitoring can actually save you money. 16. BRUCE Youre fixing things before they happen. Youre anticipating. Youre being proactive. 17. JEFF What do you think the effect of continuous security is on the culture of security within a large organization? 18. BRUCE Continuous monitoring puts you on proper footing when it comes to dealing with the risk management profile of an organization. and when youre operating on the continuous kind of mode, youre operating in a mode that keeps everybody alert, awake, alive, and very well tuned-in to the kind of problems that need to be thwarted on a regular basis. 19. JEFF Lets talk about enterprise-wide impacts on the cultural impact of continuous application security. 20. BRUCE The Department of Defense has actually put some fairly serious directives in place in terms of how to keep the workforce fresh and skilled. And those people who have specific cyber- security responsibilities must have a certain specific qualification. 21. JEFF Back [20 years ago] security was much more positive and driven from overall goals. In the last ten years, I think theyve taken more of a negative approach to security, like, Well pentest to find holes and then say somethings secure. How do you feel assurance has evolved? 22. BRUCE Youre right. Nowadays it seems to be about over-emphasizing problems. the fact of the matter is, we have taken more of a serious kind of a danger approach to the problem these days. 23. JEFF Do you think well every get back to the point when assurance is actually something people care about? I would say the only confidence we have in our systems, and particularly our software, is that they havent been hacked yet, which really is a weak assurance argument. 24. BRUCE At the corporate level, youll find that whether or not the board cares about security is kind of how its viewed across the corporate world. And thats unfortunate, because very few board members haves security in their background unless its actually a security company. 25. BRUCE In the government, the only driver for being more secure is the last crisis that you had to deal with, and the heads that rolled in that crisis, and the processes and budget that was put in place as a result of that crisis. 26. BRUCE Were always prepared to fight the war we just fought. Were never prepared to fight the next war. 27. JEFF Yeah. Thats frustrating that we cant see whats coming, even in the face of staggering evidence of insecurity. 28. JEFF What are the key metrics you use to make sure you can sleep at night, particularly about your application security programs, but also as your program as a whole? 29. BRUCE What I want to know? I want to have the assurance that my business processes that Im responsible for assuring, my mission that Im responsible for delivering, that that mission has not been impeded or obstructed by something that I have some amount of control over. 30. JEFF Any final thoughts? 31. BRUCE We used to spend a lot of time on vulnerabilities, because we thought the more you reduced your vulnerabilities, the less of a target you became to the bad guys or to the threat. Nowadays, that problem has morphed into being threat aware. Threats are more dangerous and becoming more persistent. 32. JEFF WILLIAMS WITH BRUCE BRODY