Exploring the SOC's Perspective: Are Heated Seats Essential for You? - Season 1, Episode 7
Paul Ducklin and David Emerson, CTO and Head of Operations at our website, discuss the human element in cybersecurity in the latest episode of their podcast, "Tales From the SOC." The conversation revolves around the importance of intentional design in securing software engineering. Ducklin shares an example of a recent ransomware bug that resulted from poor library choices, highlighting the dangers of hasty and non-intentional coding.
Emerson emphasizes that 'intentional design' is the key to mitigating such issues. He criticizes sprawling codebases without a specific intent and stresses the importance of consistency in library usage. Emerson suggests several approaches to avoid these problems, from linting and code quality analysis to automating the pipeline. He insists that the foundation is intentional design, ensuring that the purpose behind the code is well-defined and the libraries chosen are likewise purposeful.
Ducklin adds that it is essential to evaluate discovered libraries for sufficiency, rather than simply assuming a well-named library will meet the required specifications. Emerson reiterates the importance of focused, less complex libraries and the need to avoid overcomplicating coding through excessive library usage. He acknowledges the necessity of tools like GitHub's automated dependency checker, static analysis, and vulnerability scanning tools but cautions against relying solely on these tools and weighing the potential consequences of their suggestions.
Ducklin explains that implementing intentional design principles helps manage the 'law of unintended consequences' which can lead to undesired dependencies in code. Emerson agrees and suggests deciding when libraries are necessary, using intentional design to choose libraries that meet specific needs consistently, and scrutinizing each library for security vulnerabilities. He admits that maintaining intentional design principles can be challenging, particularly when weighing security updates against potential regressions. However, he encourages regular automation, code formatting, linting, and static analysis to help manage technical debt.
Emerson further highlights the value of human-oriented code reviews, as opposed to relying solely on automated tools. He explains that human-oriented reviews fill in the gaps and serve as a crucial necessity in ensuring the correct functioning of any product. He acknowledges that the type and extent of human-oriented testing may vary depending on the product, but insists that code testing is integral to the development process.
Ducklin and Emerson also touch on the challenges faced by organizations in the cybersecurity industry, where the focus is often on more tools rather than effective implementation. They discuss the importance of a Software Bill of Materials (SBOM) but admit that it can be difficult for users to understand without familiarity with the underlying components.
Emerson proposes several strategies for users looking to avoid 'more tools, more tools' pitfalls. He encourages following industry benchmarks, maintaining openness to certifications, and establishing a vendor procurement process with clear guidelines to ensure thoughtful technology implementation. He also emphasizes the importance of understanding business requirements and consciously limiting the scope of technology implementations to meet specific needs.
Finally, Emerson underlines the significance of cybersecurity as a business value and not merely a cost. He proposes simple guidelines—like buying only what is essential and knowing what is valuable to the business—to help organizations make informed decisions when investing in cybersecurity solutions. He jokes that while heated seats might not be necessary, soft-close doors could be a worthwhile investment, suggesting a balanced approach to technology procurement.
Listeners are encouraged to connect with our website by sending an email to amos@our website, and readers can find more content on community-oriented security topics at our website/blog.
Finance plays a crucial role in determining the resources allocated for intentional design in cybersecurity, which is essential for securing software engineering and mitigating potential issues. Businesses must prioritize the importance of technology, understanding that implementing intentional design principles can help manage technical debt and balance their IT investments, ensuring that cybersecurity is not merely considered a cost, but a business value.
