Dave Lewis on the tenacity of solvable security problems

The O’Reilly Security Podcast: Compounding security technical debt, the importance of security hygiene, and how the speed of innovation reintroduces vulnerabilities.

By Courtney Allen
May 10, 2017
Cracked earth in the Rann of Kutch. Cracked earth in the Rann of Kutch. (source: Vinod Panicker on Wikimedia Commons)

In this episode, I talk with Dave Lewis, global security advocate at Akamai. We talk about how technical sprawl and employee churn compounds security debt, the tenacity of solvable security problems, and how the speed of innovation reintroduces vulnerabilities.

Here are some highlights:

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

How technical sprawl and employee churn compound security debt

Twenty plus years ago when I started working in security, we had a defined set of things we had to deal with on a continuous basis. As our environments expand with things like cloud computing, we have taken that core set of worries and multiplied them plus, plus, plus. Things that we should have been doing well 20 years ago—like patching, asset management—have gotten far worse at this point. We have grown our security debt to unmanageable levels in a lot of cases. People who are responsible for patching end up passing that duty down to the next junior person in line as they move forward in their career. And that junior person in turn passes it on to whomever comes up behind them. So, patching tends to be something that is shunted to the wayside. As a result, the problem keeps growing.

Reducing attack surface with consistent security hygiene

We don’t execute on the processes, standards, and guidelines that should exist in every environment for how you’re going to do X, Y, and Z. Like SQL injection. If we are making sure we’re sanitizing inputs and outputs from our applications, this attack surface by and large goes away. Is it 100%? No, but nothing in security is 100%, sadly. For patching, again, you have to have a proper regimen in place. It’s sort of like this: I could build you a house if I have a hammer, but if I don’t have the context of the larger plan to build that house, I’m stuck.

There are tools available that can help you execute patch management. The tools and the abilities are there, but we need the processes to follow, and we need to execute on them. But the thing is, patching is not something that most people find enjoyable. We need to do a better job of seeing patching as an important part of protecting our environment and take pride in that.

Innovation’s role in reintroducing previously solved problems

Well, the Internet of Things (IoT) has really devolved into the new bacon. Any device you can get your hands on and slap an internet connection to is now IoT. I’ve seen kettles, I’ve seen toasters, I’ve seen toothbrushes that had internet connectivity. Here’s a question for you: if you have a device with an internet connection and you pull that connection, does your device stop working? I worry about this because we’re getting so bogged down in the crush to create IoT devices that we’re really, again, bypassing fundamentals. I’ve seen devices that are out on the internet using deprecated libraries, and in some cases reintroducing Heartbleed. This is abjectly silly. It’s a problem we tackled a few years ago, only to see it reemerge in IoT devices that are online. Or conversely, with the Mirai botnet, we saw default usernames and passwords. Programmatically, there’s no good reason for that. That is an easily fixed problem.

Post topics: O'Reilly Security Podcast