There’s a massive skills gap in cyber security, and this is acute for skills in cyber security and software. Some estimates cite 3.5 million unfilled jobs in cyber security around the world, with other estimates stating one-in-three jobs in the US are unfilled.
Like any industry, this then means that there’s a flood of new workers that have moved into cyber security, and organisations that would have previously demanded 8+ years experience in certain jobs, will now take someone with much less experience.
In particular the roles that require key technical skills and those involved in application and cloud security. This is at a time when the scale of security and increase in software releases means organisations have more security checks and reporting to perform.
It used to take months to create and release new software releases. Now modern software development techniques measure the time between software releases into the hands of customers in hours. Gartner has suggested that 90% of enterprises, previously perceived as the slowest to act on software releases, now want to release new updates daily.
Agile, DevOps, the ability to spin up cloud systems almost instantly, micro services, and others has put the software teams in the driving seat, given them the keys, and accelerated at full speed. This is great for digital transformations and the pace of business change.
Business Analysis and management can ask for some new functionality and get it quickly. The business race then becomes which organisation can create the coolest new features, ahead of their competitors, or catch up on that feature their competitor has just promised to push out.
This is where scale kicks in, because no mid to large scale company is just working on one feature. Enterprises have thousands of applications under their management, and each could have many upgrades and new features on the go.
But hold on - all these new releases and features will be code changes, yea? Those changes will process sensitive data, be subject to regulations, run on new configurations, and more - don’t we need to make sure they’re secure? Certainly regulations such as GDPR and PCI DSS agree they should be secure - see our blog on [Quick and Agile security testing, as needed for compliance].
However, as stated above, we don’t have enough security folks, and even if we did, it’s likely they wouldn’t have the time to run all those manual security checks for each of these releases?
This is why, for the last 20 years, the software security industry has been moving more and more towards automation. It used to be that we would manually review code for SQL injections, now there’s a multitude of vulnerability scanners that can do this for us.
The days of using one tool to check an entire application are gone, thanks to the diversity of the tech stack each application, which may contain a combination or different languages, cloud environments, web servers, data stores, containers, microservers, and other aspects. Any one of which could change and result in security flaws. This further extends to the many teams you will have, each of which may use different combinations, flavours, and versions of platforms, web servers, databases, etc.
Our industry has come to a point where simply being able to run the automated security tools is, in itself, part of the skill of a security team or personnel. With more and more releases, from many projects, this diversity and scale becomes a blocker for releases.
It becomes a choice, either we don’t release this cool feature as quickly as our competitors, or we close our eyes and run the risk that we won’t introduce any security issues, and they’ll not get breached.
This is the fault of security as a whole, our industry has said that security has to be applied and adhered to, without providing cost effective and scalable methods by which security can keep up with the speed of development releases.
Automate and orchestrate the automation
Allow automation and orchestration to remove many of those manual tasks security teams are performing. The Uleska Platform comes with built in integrations for many of the popular commercial and open source security testing tools, and is extensible for your custom scripts.
Stop repeated tasks such as setting up testing, interpreting results, alerting teams, communicating fixes to development teams, and reporting metrics and risk to stakeholders from consuming your security team resources.
The Uleska Platform automates these tasks for web apps, cloud systems, containers, microservices, and many more. It further provides extensive configuration and extensibility, to fit into your security programs. Taking those repeated, automatise manual tasks away from their days to day jobs so they can concentrate on adding more value in other ways. Allowing your security personnel to security test smarter, instead of harder.