Over the last few years, there have been repeated studies noting the lack of the workforce in and future availability for the InfoSec professionals. The rationale for this rests firmly on several driving forces.
This is a rather significant problem. There are, quarter after quarter, year after year, an increasing number of compromises, and these have tended to be more devastating and affecting a greater number of users. The credit reporting agency breach of last year pays homage to this with over half of the US population directly affected along with a mass number of users numbering over 145.5M. But wait, there’s more. This issue had international implications, as 8k Canadians were affected, as well as users in the UK.
This problem is not going to slow down in the near future and is expected to only get worse. To increase the workforce will take time, in the least years. There are avenues to follow to alleviate a portion of this issue. There has been talk of implementing AI to assist with this issue, however, this is not able to be utilized in the near future. There is, however, a greater case for machine learning and automating the process now.
One aspect used presently is with automating web app testing. This functionality has caused many issues as the vulnerabilities directly associated with this have not been adequately addressed. These are used frequently and are depended on by business and subsequently by consumers. These vulnerabilities have the distinct ability to be devastating to the business operations. If these were to be exploited, the attackers would be able to gain a significant foothold and make life interesting.
One of the causes for this has been the lack of SecDevOps or applying cybersecurity to the development process. There is the lack of focus on this continued endeavor as management believes security can easily be added in late in the process or as an afterthought. As a contributing factor, the DevOps teams are incentivized to get the project done in a timely manner, with their gates being measured as the projects continue. The incorporation of security into this development process has historically been lacking.
The developers are challenged with a conundrum. The web app has to be coded and implemented quickly, however having security’s input through the process is a time lag, although vital.
One option to assist with, but not replace, InfoSec is to use a web app tool to test the security through the stages. Again, this would be able to supplement and not replace security through the PenTest after the initial development is completed. This automated web app testing is a good first step, and a good tool to apply through the development process.
Without critiquing individual packages, these produce a report noting the vulnerabilities found with the scan, and rates them on the various scales, from informational to critical. After each scan, the dev team is able to address the areas of code, and processes requiring the additional attention.
The web app would then be able to be scanned again. This re-scanning iteration is pertinent and required. As changes are made, there may be unintended effects, which would need to be addressed once noted with the additional scan. This process would continue until the web app’s vulnerabilities were reduced to an acceptable level of risk.
AI Consulting
& Strategy
AI-Powered Decision Support Systems Automation Solutions
AI for Sustainability R & D Architecture & Implementation
Miel
AI Solutions
Solving tomorrow, today.
Charles Parker
charles.parker@mielaisolutions.com 810-701-5511
