In this episode, Jeff Williams interviews Bruce Brody of Cubic Solutions, a leading provider of specialized systems and services in the rapidly changing world of technology. They examine the relationship between federal cybersecurity rules and regulations, and how workforces can stay on top of educating their employees regarding the changing threatscape.
2. JEFF WILLIAMS
“How is application security different in the
government sector versus the commercial
sector?”
3. BRUCE BRODY
“In the government sector, there’s a
tremendous amount of interest in the security
of an application when it comes to a variety of
different operating environment…e.g.
Classified vs Unclassified operating
environments.”
4. BRUCE
“If it’s going to be in a classified environment,
then some very rigorous tests and evaluation
need to occur before that application is
approved…in unclassified environments, the
application does have to withstand some
scrutiny and some testing, but it’s not nearly as
rigorous.”
5. JEFF WILLIAMS
“I was under the impression that most
applications had to get their code reviewed. Is
that true for most application, or just a
subset?”
6. BRUCE
“Well, a subset operates specifically in very
sensitive and classified environments. …an
unclassified environment has to go through and
Authority to Operate process…and that’s a
little less scrutiny on the application and more
on the system level performance.”
7. JEFF
“Have you noticed a change in software
development in government to more ad-hoc,
DevOps-style software development?
8. BRUCE
“Like all programs in government, the intent is
there to move in that direction…there are
some things going on with the Department of
Homeland Security and across various agencies
to put some good processes, some better
processes, more agile processes in place. Those
are moving along.”
9. JEFF
“I’ve seen you’ve written that “there’s no
longer any reasonable argument regarding
whether or not continuous monitoring is the
right move for federal departments and
agencies. Why do you think continuous
monitoring is so important?”
10. BRUCE
“The government has long had an approach
where periodic monitoring was okay [and]
periodic scanning doesn’t give you the ability to
take a look at a system that’s constantly
changing and say if it’s as secure as when you
originally authorized it to operate.”
11. BRUCE
“You need to turn periodic into a continuous
look at these systems, so that you know that
the controls you have put in place to elevate the
security level of the systems are continuously in
place and operating accordingly.”
12. JEFF
“If you want to actually do [application
security] and keep things secure, you’ve got to
be doing it continuously.”
13. BRUCE
“It’s a 24/7, 365 kind of approach to security
that will [cause] the overall security posture of
the federal government to improve.”
15. BRUCE
“Well, some people have argued that it takes a
lot more money to do application security
continuously. But if you do it right, continuous
monitoring can actually save you money.”
17. JEFF
“What do you think the effect of continuous
security is on the culture of security within a
large organization?”
18. BRUCE
“Continuous monitoring puts you on proper
footing when it comes to dealing with the risk
management profile of an organization. … and
when you’re operating on the continuous kind
of mode, you’re operating in a mode that keeps
everybody alert, awake, alive, and very well
tuned-in to the kind of problems that need to
be thwarted on a regular basis.”
19. JEFF
“Let’s talk about enterprise-wide impacts on
the cultural impact of continuous application
security.”
20. BRUCE
“The Department of Defense has actually put
some fairly serious directives in place in terms
of how to keep the workforce fresh and skilled.
And those people who have specific cyber-
security responsibilities must have a certain
specific qualification.”
21. JEFF
“Back [20 years ago] security was much more
positive and driven from overall goals. In the
last ten years, I think they’ve taken more of a
negative approach to security, like, ‘We’ll
pentest to find holes and then say something’s
secure.’ How do you feel assurance has
evolved?”
22. BRUCE
“You’re right. Nowadays it seems to be about
over-emphasizing problems. …the fact of the
matter is, we have taken more of a serious kind
of a danger approach to the problem these
days.”
23. JEFF
“Do you think we’ll every get back to the point
when assurance is actually something people
care about? I would say the only confidence we
have in our systems, and particularly our
software, is that they haven’t been hacked yet,
which really is a weak assurance argument.”
24. BRUCE
“At the corporate level, you’ll find that whether
or not the board cares about security is kind of
how it’s viewed across the corporate world.
And that’s unfortunate, because very few board
members haves security in their background
unless it’s actually a security company.”
25. BRUCE
“In the government, the only driver for being
more secure is the last crisis that you had to
deal with, and the heads that rolled in that
crisis, and the processes and budget that was
put in place as a result of that crisis.”
28. JEFF
“What are the key metrics you use to make sure
you can sleep at night, particularly about your
application security programs, but also as your
program as a whole?”
29. BRUCE
“What I want to know? I want to have the
assurance that my business processes that I’m
responsible for assuring, my mission that I’m
responsible for delivering, that that mission has
not been impeded or obstructed by something
that I have some amount of control over.”
31. BRUCE
“We used to spend a lot of time on
vulnerabilities, because we thought the more
you reduced your vulnerabilities, the less of a
target you became to the bad guys or to the
threat. Nowadays, that problem has morphed
into being threat aware. Threats are more
dangerous and becoming more persistent.”