These are the two famous words regularly used by programmers when they first begin to test a new programming language. I feel they fit into this blogpost, as it is the beginning of something new for me and my team.
We created a company. The company name? BinaryEdge.
So, why exactly did we decide to do this? The answer to this is quite simple.
We looked at our past and we thought about the way we had seen Information Security being setup, delivered and executed in the past and wondered, could we do something better?
We started thinking about the times we had seen security fail our customers, about the outcomes of the root cause analysis meetings we had been in. At the same time we also started looking around, at how our industry affected other industries and how these industries had progressed across time.
One industry that became an absolute reference in terms of evolution over the last couple of years was the software engineering industry. Over this period, they went from using waterfall methology to use SCRUM/Agile.
They passed from Subversion to Git and with that came Github which made writing code more social and collaborative.
They started focusing a lot on making sure they automate different parts, that they test the code before they deploy it and that documentation is as important as the code.
We then looked at the sysadmins, the progress they have done across the years and the new tooling and techniques they had developed - they started using openstack, cloudstack and all different kinds of hypervisors and cloud systems. They started combining their work with the developers, collaborating and socializing, to form the Devops movement, automating the deployment, making it continuous and agile so that they could focus and deliver all the great products to their users as fast as possible.
If we look at those examples there are common factors that come out from them:
None of these involve technical paradigm changes. They are behavioural and methodology changes, and yet they bring a great benefit to the teams and companies that use them.
We took note of all these things and then compared it to our industry, the information security industry.
Although we can't do a direct comparison because of the different levels of maturity, we understood that we could learn a lot from it and improve our own industry.
When we looked at our industry and across the years the services we had executed at different companies, people we had met and dealt with and outcomes of different situations, we gathered a list of goals that we wanted to focus on improving.
Security Engineering - For far too long security has worked the following way:
- Developers and sysadmins design the platform, write the code, configure the systems, put it up in production and then call the security consultants.
- Said security consultants come in, break everything, deliver a 100 page report and goes in their merry way.
This way of working is like putting a band aid and hoping the wound won't open again.
It's a quick fix, one that might work in short term but not in the long term.
The focus on this situation is just in the testing, that testing is being done on a platform that was built on a unstable foundation. The lack of engineering (from a security perspective) in the beginning of the project is going to lead to bad design decisions, which will in turn lead to a higher number of vulnerabilities found.
So one of the points we wanted to be sure to focus on was Security Engineering. Our consultants won't just break your projects, they will help you build them. We work with our clients from day 0 on their projects.
From the day the client has decided they want to greenlight a project, we work by helping him choose the technologies, by helping him design the architecture, by helping him integrate security into the entire life cicle of his project.
To make sure we are able to deliver valuable work to our clients, we have developed custom made platforms, where not only are we able to automate parts of the engineering work, we are able to keep up-to-date documentation about the security engineering of different projects and that each of our consultants can interact with others to make sure we are delivering the best solution to the client's problem.
Agile Security - For far too long we have seen security become a blocker. The world is moving on and yet we still have people that recommend "do not go into the cloud", or that make suggestions that affect usability of products which, in most cases, should be the highest priority (if your product does not work, there won't be much for you to secure).
To help in this part we have developed a framework that we call BE-Agile. This framework focuses on the following points:
- Make sure security is working on the project from day 0;
- Make sure everything gets documented correctly and in a way that the information is useful;
- Make sure that security works in agile, rapid and yet efficient manner by not being a blocker to other teams and yet allowing the Security team to do their work;
- Create a strong foundation, by following a good set of security best practices, that our clients can then build upon to take security to the next level;
- Make security a continuous process instead of a one-off test type of process;
- Make sure that, in each phase, security has an interaction with the project and that it produces some data that can be used by our clients to measure the progress of their security.
With that last remark in mind, it brings us to the third point.
Measurable Security - One big question that security team leaders/CISOs/Heads of security get asked often is "Are we secure?". The problem with this question is that security is rapidly changing and while in one minute you might be secure, on the next minute a new vulnerability might have been released.
We can, however, monitor the status of security across our ecosystem and monitor the progress of security evolution across an entire organisation.
For this reason it's important that we gather data. Data can be analysed, observed, transformed into metrics that can help us guide and steer the security boat. One very important part to BinaryEdge is that we are a security company but we are also very much a data company. We are working hard to make sure most of our processes and decisions are done based on measurable data. Over the next couple of weeks we will be publishing some blogposts about our Security research which is focused on gathering security data telemetry on an internet-wide level and combining this telemetry with machine learning to create models and automate parts of the data analysis.
Almost everything in your ecosystem can produce data to feed security metrics - from code, to people, to the infrastructure. We collect all this data and focus our research on making sure our machine learning modules can consume this data and output metrics that can help our clients progress the security maturity level of their organisations.
That brings us to the end of this introductory blogpost. We have set our targets on making security better for our clients by helping them across the entire lifecycle. More details on how we will do this will come in the next blogposts.
To my team I say: I look forward to this journey with all of you.
To our clients: Be Ready. Be Safe. Be Secure.