Updated on April 16, 2016

To understand why online systems are plagued with seemly endless security incidents requires a closer look into today’s security landscape.  Let’s look first to understand the vulnerable systems criminals exploit.  Top security company WhiteHat says it best on their home page.

Photo 1: Except WhiteHat.com home page (click to enlarge)

According to WhiteHat web applications are the greatest risk area.  Next WhiteHat says, “…most security budgets are spent on securing and monitoring the perimeter and endpoints”.   According to the FBI 2014 Internet Crime Report, “…IC3 received 269,422 complaints with an adjusted dollar loss of $800,492,073…”, keep in mind this is US losses, not global.

“…IC3 received 269,422 complaints with an adjusted dollar loss of $800,492,0731…”, FBI 2014 Internet Crime Report

Aside from the claims and statistics, it does not take a security expert to understand the global force behind the online movement.  Virtually every product and service is moving online and it stands to reason the criminals and crime are following the money.

Let’s change gears, let’s look into background on today’s top security executive the, Chief Information Security Officer (CISO).  The following is Digital Guardian[INFOGRAPHIC] infographic for Fortunes 100’s top CISO’s.

Photo 2: Infographic DigitalGuardian Web Site

The infographic tells us CISO’s are predominately male, well educated, hold various security and audit certifications.  In short, nothing particularly remarkable outside of our expectations but take a look at the following, 59% of CISO’s have IT work background with only 13% in programming/engineering experience.

Fortune 100 CISOs are not well equipped with the skills necessary to defend today’s vulnerable web applications

Makes sense, for years IT leaders have been successfully defending permitters with firewalls.  In all fairness, firewalls will always be valuable but they have not proven as effective defending online applications as well as IT infrastructure.  Indications are Fortune 100 CISOs are not well equipped with the skills necessary to defend today’s vulnerable web applications.  Let’s look at some of the reasons why.

Writing software code, software architecture, debugging, understanding the battery of tools, is an entire domain of expertise.  Can programming be learned like any other challenge?  Of course, but let’s give programmers some credit, application development is an entire domain of knowledge and takes takes years to master.  Once that domain is mastered, learning to think like an attacker, breaking systems, secure coding techniques, secure coding libraries, dynamic and static analysis security tools are, in all fairness, is an entire new domain of expertise to master and not taught in most universities.  A top defender of software and secure software designer is a unique skill set.  This is why those that break into systems (e.g., pentesters) or secure traditional IT infrastructure don’t necessarily make the best application defenders.

Attacks occur where you least expect them and it’s often frustrating to newcomers in the application security profession

To give some idea of the learning challenges, learning basic programming principles like writing a “Hello World” program in Java will take about 10 minutes of time.  Learning object oriented design techniques principles, some months.  Learning the various Apache and open source packages you need to be competitive in a business environment can take years.  Understanding how to defend all that technology takes years of working through incidents, developing the security mindset, understanding the tools and techniques.  A strong technical leader requires mastery of two domains, software development and security.  If you wanted a leader for security engineering this is all you would need but you don’t, you want a CISO.  Now you need someone who also knows how to frame security challenges to smart executives and board members that may not be very technical.  Strong CISO are rare individuals in high demand.

Photo 3: ThreatTrack Security (click to enlarge)

Today security is largely a software quality problem that can’t be addressed with the next vendor security-in-box-solution.  Software security is a business and engineering quality problem – not an act of God.  Software code must be designed, built, and delivered securely.  Each step in the software development process, inception, architecture, development, testing, deployment, sunsetting, is important in the overall solution quality and historically entirely within the domain of software engineering groups.  Let’s face it, software engineering leaders don’t necessarily appreciate security advice around how to build systems.  Especially when the suggested security quality improvements reduce execution tempo which is closely related to performance based compensation.

Today security is largely a software quality problem that can’t be addressed with the next vendor security-in-box-solution.  Software code must be designed, built, and delivered securely

Significantly reducing business risk depends on the CISO’s ability to influence and win the support of software developers, development leaders, business executives, and board members.  Even a CISO with the best background and skills may not be able to influence positive code quality security improvements.  A CISO is not an army of one.  A knowledgeable CISO will fail without the proper support across business constituencies.  This is because security is everyone’s job, not only the job of the CISO and their staff.   Influencing systemic positive change throughout an organization is difficult but it begins with role dependent education.  Today’s CISO’s must be as comfortable reviewing and recommending security architecture to a developer on the whiteboard as explaining business implications of security vulnerability to corporate boards.  CISO’s must explain why engineering quality processes must be improved and recommend specific improvements when requested.  CISO’s with best blend of technology and business experience have the best chance for improving software code quality and influencing the most positive changes to security and winning respect of developers.

As our most valuable assets are brought online as Internet web applications, criminals abscond with our data while companies are busy tweaking firewalls.  Many companies are squandering security investments prodigiously in the wrong areas.  Indications are Fortune Top-100 CISO’s don’t have the best blend of skills and experience to defend software systems – the primary weakness.

The trend is that all executives share security responsibility in a significant security incident so the value of a knowledgeable security executive should not be underestimated

The best CISO defenders of tomorrow will be those with experience coding/programming, designing, shipping software products and services.  If a security leader with a development background is not available – build one.  Find a top engineering leader and begin building the security mindset.  Send them to security conferences where executives congregate like, Gartner IT Security Summit.  Understanding business implications of security, executive concerns around security, and how to communicate with executives are essential.  Send them to SANS Institute to learn how to break software applications.  Theory is helpful but hands on skills are essential.  Attend security conferences like Blackhat, DEFCON, and others.  It can take years to find the best leader and build out a team.  Begin now, by investing in your own organization and growing some organic talent.  The trend is that all executives share security responsibility in a significant security incident so the value of a knowledgeable security executive should not be underestimated.

I thought I would share a few initial impressions about a new infographic by udacity.com I find interesting if programming is your profession.

Infographic: via Udacity.com

Java, CC++, languages are not top paying which comes as a surprise.  I suspect other factors are involved.  For instance, the average MATLAB user may be more highly educated than the average Java or CC++ programmer.  I don’t know a lot about MATLAB but I suspect it’s a research tool similar to Mathematica as opposed to a programming platform.  I don’t see many software products delivered using MATLAB.
Another surprise is that Ruby is top of the stack for compensation.  Perhaps we are witnessing the market forces of supply and demand.  Historically there has always been less software developers than jobs available.  In the Ruby case, the ratio of available Ruby developers to jobs available may be better than say Java or CC++.
To better understand the future supply to demand better, we may be be able to glean some information from the Geography and Popularity data presented.  For example, if you see a large number of job openings in Geography and a declining or stagnating trend in Popularity it may be an indicator of increasing pressure and increased compensation for developers.
Besides maximizing your compensation there are other factors you should consider like long-term stability of the market.  If we take Java or CC++ as the example, their is no way these languages are dying out.  They are great first languages and learning the languages is relatively simple.  Learning how to use all the utility libraries and open source packages to make a commercial product can take years but as you grow so to will your compensation.  Learning is an investment in career worth making since compensation as shown is good overall compared to other languages and stability and demand for these languages will be high for the foreseeable future.
Once you start get Java or CC++ down you should definitely consider a scripting language as a second language.  The reason is that scripting languages are generally faster to get a proof of concept rolling or quickly solve a research question.  Ruby is on the top of the pay chart but I have been playing around with Python.  I initially considered JRuby, a particular implementation of Ruby that offers some of the advantages of Java.   In the end,  I choose Python since I am a believer in the power of *NIX scripting and it’s easy to get going on every flavor of *NIX.

Figure 1: security infographic, click to enlarge

[Download full image 274KB]

The raw public data behind the infographic for those interested.  Keep in mind the information comes from National Vulnerability Data (NVD) and CVEDetails which is an information aggregator of NVD.  You may find these public resources interesting for your own projects or persuasive presentations on security.

(1) CVEDetails (NVD) Vulnerability
Provides the aggregated yearly information.

(2) Better or Worse?
Source for the quote.
2013 IC3 Annual Report, http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf

(3) IC3 Complaints
Graph data for the number of complaints.
2013 IC3 Annual Report, http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf

(4) Trust is Dead?
“…$180 billion or a 25% hit to overall IT service provider revenues [by 2016].”   James Statan – Forrester
* Hat tip to writer Kashmir Hill from Forbes for the web link to James article.

(5) Vulnerability Mixer

(6) Year with the most reported vulnerabilities to date?

(7) Most vulnerable product ever?
Java and Flash not in the top 10

(8) Most vulnerable web browser?
Internet Explorer, not even close