My alma mater, Florida State, lost the season opener to Alabama this year. In order to improve our game, would I recommend hiring more referrees? If I planned like the some of the tech industry, I might do just that, because it’s solution to losing games is often to hire more referees than smarter and faster players.
The referees in this Monday morning quarterback analogy (roughly) are Cyber Security professionals, ISSE’s, Software Testers, Quality Assurance personnel, and Code Reviewers. Now, I’m not suggesting we should stop hiring for these roles, or that they are unimportant. In fact, I’d like to rotate them to a new responsibility, should they choose to accept it: Why not let them be the players? Why not let the Software Testers code and be Software Developers themselves? Why not let ISSE’s be the Cisco and Juniper Network Engineers that actually configure the network?
For starters, let’s send cybersecurity personnel to coding classes. Let them work on small projects, and give them a chance to actually code a function with user input checking and without SQL injections. Show them most major frameworks today, from Java with Spring to Ruby on Rails, already have security and encryption methods built in. Let them take the code reviews, compliance checklists, and Nessus / Retina findings they have seen dozens of times, and use them in their coding.
Let’s rotate the some of the refs into the game. Don’t worry, the penalty calls will still be easy to make, because they are the same as last season: SQL injections, unvalidated web/user inputs, not applying easily available vendor patches, and using “password” as a password. These are like the high school football penalties: fumbles, missed catches, and just plain bad throws (Java exceptions, anyone?) Our archrivals, The Darknet Raiders, are whipping us season after season, and it’s long past time we try a new strategy.