When you’re in the midst of a security issue, getting to the point of feeling on top of security again can seem a million miles away. Because in the end, security is about being aware of what’s going on in your environment and having a proactive approach to dealing with the threats.
Being able to prioritize the severity of those threats and vulnerabilities that could impact the business is key to any security practitioner’s job. It’s in that vein that we recently spoke with Josh Sokol, an OWASP leader and the creator of SimpleRisk, an open source risk management tool he released to the community to help take some of the ‘obscurity’ out of security.
With a background in computer science, a deep understanding of OWASP principles and as the owner of a security program at a large company, Sokol has a lot of great advice on how to do application security as well as security in general.
OWASP & Up
Sokol joined the ranks at National Instruments as a Web Systems Engineer in 2007, and while he had an interest in security, he had very little experience with it. He graduated from the University of Texas, Austin in 2002 with a BS in Computer Science, “but at the time security wasn’t part of the college curriculum so I culled many of my early ‘hacking’ skills from sites like HappyHacker,” Sokol says.
By pure luck, many of OWASP Austin’s events took place at National Instruments, where Sokol began regularly attending meetings, quickly becoming the company liaison.
“Over the course of two years, I helped grow OWASP Austin to being one of the largest and most active chapters out there with weekly meetings, weekly study groups, monthly happy hours, and even its own conference,” Sokol says.
LASCON, the conference Sokol helped create with his colleague James WIckett, is coming up in late October, and will host attendees in over 50 track sessions during the event.
This year, Sokol moved from local to global, joining the ranks of OWASP’s Global Board of Directors. As in any global organization, OWASP has its ups and downs, “but in the end,” Sokol says, he’s enjoying being able to contribute along with “an amazing community of builders, breakers and defenders.”
OWASP has impacted Josh’s life in more ways than just becoming involved in the organization. “I’ve learned from past mistakes, and more recent experiences with OWASP,” giving him a much better foundation of secure coding knowledge. And it’s with that knowledge that Sokol has given back to that very community with his risk management system: SimpleRisk.
Success with SimpleRisk
During the transition from Web System Engineer to his full-time post as InfoSec Program Manager, Sokol decided that managing security risks was going to be a top priority.
“I quickly realized that the biggest hurdle wasn’t knowledge, but rather, tooling,” he says.
At first, Sokol tried using the tools already at his disposal, including Word docs and Excel spreadsheets, and quickly learned that these were “extremely manual and did not scale at all.”
After a long search for the ‘one’ risk management system, Sokol realized it just wasn’t out there. The GRC solutions were quickly denied by management for their “$500k price tags,” while the middle-of-the-ground tools just weren’t sophisticated or heavy enough to cut it.
“Eventually I decided to put my PHP and MySQL skills to use and do something about it,” says Sokol. “It took about a month of late nights and weekends to develop, but my first release of SimpleRisk debuted at BSidesAustin 2013.”
The open-source tool was designed “from scratch with security in mind and I am constantly leveraging the education and experience that I’ve received from OWASP,” he says.
Sokol found that while the concept of risk management isn’t elusive, the toolsets at security practitioner’s disposal usually are. “The unlucky majority usually end up spending countless hours managing risk via spreadsheets,” the SimpleRisk site states. “It’s cumbersome, time consuming, and just plain sucks.”
So, Sokol makes it easy for new SimpleRisk users. The tool can be set up in a matter of minutes, offers a Mozilla Public License 2.0 and, once set up, allows security pros to instantly “submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews.”
SimpleRisk’s newest iteration was just last month presented by Sokol to hundreds of security professionals at the Black Hat Arsenal. “Hearing others say that after trying everything else out there, my tool is the only one that does what they need it to do, will never get old,” Sokol says of attendee’s reactions.
Future plans for SimpleRisk include building a more scalable and secure hosted platform to offer a free tier for those working to get their own risk management program running.
Josh’s Security Takeaways for Practitioners
As someone who has quickly risen in the ranks of the Application Security community, Sokol has a lot to offer those just starting their programs. Here are 5 important lessons Sokol has learned as a security program owner:
- Frame vulnerabilities as business risks for a real chance at aligning your security goals with the organizations’ business goals.
Explaining vulnerabilities to business people has a very low margin of impact; It doesn’t mean your boss and other stakeholders are dumb, it’s just “because vulnerabilities don’t map back to standard business processes,” Sokol says.
So, instead of discussing how many severe vulnerabilities you found and fixed, or the number of SQL injections present, or the percent of vulnerabilities fixed between scans, come to your management with solid data on the probability of an application being hacked and the cost (in lost time, reputation and money) of such an incident.
In fact, as Gartner’s Joseph Feiman recently stated in the Hype Cycle for Application Security, “the most critical impact of using SAST is minimizing the risk of possible exploitation of application vulnerabilities.”
It’s the chance that one of those vulnerabilities could lead to a compromise, in turn leading to untold ramifications for the company that will go far in getting your point across to management. Once you’re framing security in a more digestible way for your management, it’s much more likely they’ll jump on your bandwagon. As Sokol says: “Think management cares about their customers and customer confidence? Damn right they do!”
If you don’t feel like management is listening to you, it may be time to re-evaluate how you approach them, Sokol suggests.
- At the same time, sometimes ‘we won’t be doing anything about that risk’ will just have to be good enough.
“I think that my single biggest struggle as the Information Security Program Owner at National Instruments has been in realizing that sometimes you just have to accept the fact that with limited resources, ‘We’re not going to do anything about it’ is an acceptable answer,” Sokol says.
It’s a tough pill to swallow, but, as Sokol says, “our role in the risk management process, as security practitioners, is to assess the risks in our environment and convey them to management.” If you’ve framed the issues to align with your managements concerns, that’s where your role ends.
Ultimately, it’s up to management to choose whether to reject or accept the risk. Sokol says that once he understood that that decision doesn’t fall on him, a weight was lifted off his shoulders.
- Having a CISO has more to do with the organization’s desired security maturity level than the size of the organization.
Sokol believes that the role of the CISO is part business-executive, part technical security manager, acting as a sort of moderator between security and business initiatives. “Without a CISO, you may have operational security, but you likely lack direction or a long-term plan for an actual security program,” he says.
“Having a CISO at the helm of the security program should be a priority for any business that deals in or maintains any sort of data that is considered sensitive or confidential,” Sokol says.
- Your developers will have varying degrees of security know-how as new hires. It’s up to you as the program owner to make sure they’re on the same level.
Sokol and his team at National Instruments created a two-day training program for all new hires designed to get everyone up to the same, secure speed. The goal is to “not only prevent them from creating vulnerabilities in their code, but also to [teach them to] fix any existing vulnerabilities that they come across.”
Secure coding, Sokol acknowledges, is not learned in two-day course, but his program gives them a solid foundation from which they can grow, and supplement as needed. The point is to get everyone to a certain level before they start at the company, then adjusting as you see fit.
- Realize that developers have much more on their plates than security, and help them by making writing secure code easier for them.
You don’t want to be the ‘boy who cries wolf’ at every small security issue with your developers, Sokol says. Security teams are focusing “100% of [their] time and attention on security so when others aren’t doing the same, it can make us feel like they’re not taking things seriously,” Sokol says. “We need to realize that security is just one of many things on a developer’s plate.”
Sokol suggests shifting the focus from lamenting about their lack of security education and offer ways of integrating security into the platforms and workflows they’re already familiar and comfortable with.
A great way to get your developers more actively engaged in security within the SDLC is to teach them to treat security vulnerabilities as bugs by managing security flaws through the developer’s bug-tracking system, a platform familiar to you developers.
About Josh Sokol:
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a B.S. in Computer Science in 2002. Since that time, he has worked for several large companies including, AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the information security program owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created SimpleRisk, the free and open source risk management tool, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
Follow Josh on Twitter @joshsokol