The Most Valuable Resource of All: Time
This post was authored by Paul Asadoorian, CEO and founder of Security Weekly.
Over the last twenty years we have witnessed dramatic changes in the way companies write and ship code. First there was Waterfall, followed by the Agile movement in the early 2000’s, and now we find ourselves in the Age of DevOps. All of these changes have been made with one goal in mind: ship more code in less time. After all, time is the great equalizer for us all – and those that do more in less time will always find themselves in a favorable state.
As it relates to security, time is the hardest resource to come by. There is always more to do, never enough people to help, and hardly enough budget to purchase the tools necessary to buy more time. During those early days of security when Waterfall development reigned supreme, there always seemed to be enough time for security practitioners to stop that next push to production. The company waited 6 months (and sometimes up to a year) to deliver new features to customers – what’s another few weeks?
Credit: CommitStrip (https://www.commitstrip.com/en/2014/04/15/the-original-code/)
Moreover the Internet was just starting to pop-up in homes across the United States, and the input vectors for web applications were fairly simple. The first web application firewalls (WAF) built by Perfecto Technologies in 1999 could surely handle pre-determined sets of inputs as potentially malicious – all done through the use of rudimentary tools like regular expressions to determine when someone was breaking bad on the Internet.
Unfortunately for us security professionals trying to adapt and evolve the way we stay ahead of attackers, the underlying code that runs modern day WAFs continue to replicate the antiquated solutions that harken back to the turn of the Millennium; these newfangled “CDN-Based Web Application Firewalls” are really just regex-based technology with a new coat of paint. Moreover, when your vendor tells you “there is no need to update or patch, you’re secure!” when a new Remote Code Execution vulnerability is disclosed – be skeptical. Although their latest regex might protect you from that shiny-new Proof of Concept exploit, they certainly aren’t protecting you against the polyglot exploits that are cropping up all over the place. This gaping hole in edge-based Firewall tech does us all a disservice in trying to address our most sought after need – time.
Credit: XKCD (https://xkcd.com/1171/)
continue reading on origonal source: securityweekly