The best advancements in technology are the tools that allow us to do multiple things at once.
Take the cellphone: containing the clock, a calculator, a cellular phone, a web browser, a mail service, a stopwatch, a calendar, a camera, and so much more. Or a laptop, a general-purpose computer that merges a television and a CD player and is mobile.
Even the once-viral tech, ChatGPT, allows us to research in less time, summarize results, and produce what we need depending on the prompt given to it.
So it's not surprising ‒ no, it's even normal ‒ to love and jump on the products and services that allow us to do multiple things at once. Like closing all security gaps.
Yet we have to sieve the make-believe from facts. Remember if it's too good to be true, it probably is false.
So why do we keep falling for it?
Can We Solve Cybersecurity Problems With One Tool?
I believe that if such a tool truly exists, it would make headlines immediately, and be sold at premium prices.
Currently, that's a fantasy.
And even worse, (if consistent updates aren't made), that tool will be obsolete a few months later.
Because hackers never stop improving.
Some security processes like threat modeling and penetration testing, still require a human touch. Unless your software was created strictly by bots for bots, the need for human touch is crucial to scrutinize everything at various stages of the software development lifecycle.
Even code that is created through prompts to a chatbot usually has to be revised by a human hand before it goes live.
The truth is that the unicorn tool is a marketing gimmick.
It's the crux of innovation. If companies over-promise, it's only instinctual to be drawn to them.
But with cybersecurity, that's not realistic.
This is where the voices of reason (your security experts) come in.
HOW TO BREAK FREE FROM THE MYTH
Realize that cybersecurity is not a one-and-done thing.
Software is constantly updated, new tools are always going on the market and hackers are constantly polishing their skills.
These 3 together ensure that there is no one time that you can decide to sit on your haunches because you are done with strengthening your software’s cybersecurity.
More than anything, cybersecurity is a constant change because of the threat and security landscape we live.
“Building security is a dynamic, ever-changing process.”
- Brook Schoenfield, cybersecurity expert, CTO at Resilient Software Security
There are numerous aspects of cybersecurity practice that require human input
Take threat modeling, for instance. This heavily needs the users, software designers (and threat modeling experts) to create an expansive yet concise report on the design flaws of the app or software. Even when you use blockchain as a security means, threat modeling should never be glossed over.
Penetration tests also provide results depending on the expertise of a (human) pen tester.
There are aspects of cybersecurity that can't be automated
Incident response and forensic analysis often require human expertise to properly investigate and understand the details of a cyber breach. Analyzing and understanding threat actors is difficult for AI to automate.
Developing security policies and procedures needs an in-depth understanding of the specific needs and requirements of an organization which can't be automated by AI trained on patterns.
What can be automated still requires human oversight
Processes like automated security testing (AST) can be automated. But who inputs the configuration for the test to work? That’s right. Humans.
Automated doesn't mean autonomous. It’s still very necessary for automation to be reviewed and managed by someone.
How Can I Prioritize the Most Important Parts of Security?
1. Input security from the ground up. Start your security measures early in the SDLC
By keeping security paramount as you design, code and develop your software, there is a reduced chance of integrating less-than-secure processes in your software.
Plus, there is an even better chance of finding these vulnerabilities way better product launch and the software is consistently reviewed.
2. Know your security risk profile
A risk profile is a quantitative examination of the types of threats an organization, asset, or software faces.
Knowing your risk profile places you at the forefront of your security allowing you to take the best path to protect yourself and to respond swiftly to attacks.
So far, this is the best AI-powered risk assessment I know of.
3. Threat model your software to find the design flaws
Threat modeling is the only security process that focuses on software design flaws, working from the inside out.
Rather than a pen test which finds vulnerabilities by posing as an external attacker (which may still miss other design loopholes), threat modeling scrutinizes the software’s design to find configurations that may be misused as an attack point.
The plus is, you can start threat modeling yourself.
When these are combined, you can say you have more comprehensive software security than depending on one tool to do all the work.
One tool can never provide all the security that you need, no matter what marketers claim.