Our CEO, Gary Robinson, presented at the Beltech Event, Day 2, live on Youtube, Tuesday 23rd June 2020 sharing his expertise and knowledge of cyber security and how it plays a vital role in today’s DevSecOps sector.
In this talk, Gary used a poker analogy to describe the nature of the threats present in cyber security and how tactics play into how we can protect ourselves. He spoke about how Uleska’s platform can assist teams in making their releases safer from these threats.
The “Cyber Poker” analogy describes cyber attacks or preventions as playing cards in a poker game. In poker, there’s 52 playing cards, numerous players, and opponents compete to win all of the assets (usually money) involved.
One of the most interesting aspects of poker is that you don’t know what cards your opponent has. You may know the range of cards they may have - i.e. they’ve gotta be within the 52 cards of the deck, they’re not the cards you have, and based on how the opponent is betting, you can make a guess if they are high or low cards.
This brings on similarities with building a cyber program, given that there are lists of potential attacks from organisations such as OWASP or NIST, which would then make up the potential ‘playing cards’ that could be used. Consider the playing cards you hold to be the defenses you employ in your systems, e.g. you’ve tested for SQL injections, plus cloud security configurations, and encryption levels.
In cyber programs, you also don’t know which cards (or attacks) your opponents will use against you.
Whereas in poker you are only allowed to use 5 cards, in cyber security programs you can introduce as many protections as you can:
Also in cyber programs, there’s a lot more than 52 cards (attacks). The OWASP ASVS (Advanced Security Verification Standard) lists 287 types of technical attacks against web & mobile sites. NIST covers further operational and technical controls, and other bodies, such as the Cloud Security Alliance, cover more for specific technologies.
There’s plenty of good security tools out there, both commercial and open source, but no tool covers extensive portions of the attacks out there. AppSec tools don’t cover cloud, or container, or OS security. Source code scanning tools can’t find dynamic issues, and vice versa.
This puts pressure on security programs to protect against as many technical attacks as they can, typically under time pressures given software release cycles are so quick. This is where the poker analogy holds, as if we’re now playing a ‘snap’ version. If your attacker has a card (attack) that you don’t have protection against and you're vulnerable, they win the hand.
Given that any organisation is ‘playing’ against multiple potential attackers, that’s a lot of hands to play. Especially when the game is rigged and the ‘cards’ keep changing. Whilst the standard 52 deck of cards hasn’t changed in years, the cyber security controls we need to protect ourselves against changes yearly. 10 years ago cloud controls wouldn’t have been included, 20 years ago mobile security wasn’t a thing. What will be needed in 5 or 10 years from now?
This is where the Uleska DevSecOps orchestration comes to strengthen security controls. By making it easier to incorporate multiple security tooling into DevOps processes, teams can ‘play more cards’ by covering more security checks in a faster time. This helps them protect against more attackers, without exhausting budget or personnel.
Gary’s talk at the Beltech event can be viewed here, between 02:07:25 and 02:22:55.
Thanks BelTech for having Uleska present on cyber security at the event. We look forward to participating in more events like this in the future.