Technical Debt - a whole new perspective

10/28/2021

Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt.

Senior Director of Security and Compliance at Pax8.

You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.”

Where there is technical debt with a software code base, on a 5-year journey, you need to move to different software because the software vendors are literally incapable of updating the code base of their software. They are not actually doing the work to update the software. Their paradigms for software development lifecycle and codebase are crippling them from being able to correct issues.

Matt recommends finding SaaS platforms that suck over premise applications that suck because at least you are in the shared responsibility model.

Modern dev sec op practices are what is needed. You can build software that has a good paradigm.

We still acknowledge that there are issues with resources in the cloud as well unless an organization is willing to accept the risk of data sovereignty and the third-party risk of being disconnected from their services and data. Being disconnected from your data or being disconnected from your application because the SaaS vendor disagrees with your business model even though what you are doing is legal, this needs to be regulated out of existence. SaaS vendors are playing God.

And some things are just not cost effective in the cloud or are financially unobtainable in a SaaS format. Are you comfortable with the government accessing your data through backdoors? This is a very personal decision to each organization and individual.

15:30 mins - Matt talks about paradigm challenges that impede the ability to ever create bug free software. True SaaS should be able to iterate an outcome regardless of the hardware and OS that is accessing the system, so the software vendor does not have to plan for all the variables in their testing. This allows them to have a CICD development pipeline for their software.

Get to the nugget of what is required. An information security officer can get to what is really the intent of what the compliance requirements are asking for and translate that into what is required to fulfill that and protect the organization. Interpretation is required because too frequently the questions asked or requirements specified are not as specific or accurate as what is required.

26 mins – Vendor software development and vulnerability disclosure programs. The vendors need to tie revenue lost to the vulnerabilities. Software vendors are often setup for failure. Monolithic apps start at the top and run to the bottom of the code. Better models are where apps have microservices and each microservice can be corrected individually without a massive ordeal. A different software codebase paradigm allows for sprint teams to correct software bugs easier.

28 mins – There is no real effective possible way for many of these software vendors to fix their apps.

30 mins - It is in the C-Suite and the board to fix this. You are either going to die at the hands of threat actors, in an escalating war that we cannot win. Or you are going to start having practices that understand that this is a football game. There is no one right way to run a football play, but you cannot play with 9 players. You have no defensibility in your actions if you put only 9 players on the field when 11 are required. There are requirements and boundaries to any strategy or solution. If you don’t do the things you need to do, you don’t have defensibility.

If you are already fighting with all this massive technical debt, you are not going to ever win.

Go to tryhackme.com and find out how easy the threat actor side of this is.

 

https://tryhackme.com/