Cloud Control: Q&A with Brian Glas on Election Integrity and Cloud Challenges

April 16, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Election Integrity and Cloud Challenges Through the Eyes of Brian Glas

Hey everyone 👋

Ian here, diving straight into it on Cloud Control this week with Brian Glas—a true pioneer who's navigated everything from FedEx's AppSec initiatives to the lecture rooms of top academic institutes like Union University. With his involvement in projects like the OWASP Top 10 and RABET-V, Brian's insights are invaluable for anyone looking to deepen their cybersecurity knowledge. Get ready for a deep dive into application security's past and future, the shifting sands of cloud risk, and the unique blend of teaching and real-world application. This is a conversation you'll want to pay attention to, happy reading👇

Question 1 💭

Welcome to Cloud Control Brian! Let’s start with this: what excites you the most in the field right now? What are your current focuses or projects that you think will be most impactful?

Answer 1 🎯

A lot of my focus right now is on the OWASP SAMM Benchmark, OWASP Top 10 2024, RABET-V, and studying cloud risk projects; each has the potential to directly help improve the overall state of secure software development in different ways. The OWASP SAMM Benchmark is working to collect a datastore of maturity scores for a wide range of organizations across the globe to help answer the age-old question of “How am I doing compared to others?” We are working on bringing broad insight into what progress we are making (or not) in the discipline of software security. The OWASP Top 10 is an awareness project that has become a pseudo-standard for better or worse. We need to ensure that the list drives beneficial behavior for the industry. There will be countless talks, tools, training, etc. built to help educate people about that baseline. The RABET-V project is a process that we piloted for three years to bring a risk-based process to evaluate election-supporting technology across organizational, architectural, and implementation perspectives. Our goal is to help organizations improve the security of technology related to elections to ensure their integrity. For the cloud risk project, we’re working on figuring out how to clearly articulate changes to the attack surface and risk profile for cloud architecture and infrastructure to help people manage the changing landscape.

We learned quickly that it was much easier to transition from a developer into AppSec than it was to try to teach traditional network or system security how to develop code.

Question 2 💭

Transitioning from an enterprise Java developer to leading the charge in application security at FedEx must have been a monumental task. Could you walk us through the challenges you faced in building the Application Security team and how you overcame them?

Answer 2 🎯

That was a crazy time at FedEx, and I didn’t have any idea how crazy it was until later, lots of 80hr weeks as manager. We were going to build an identity vault for IAM, then shifted to managing SSO, and then quickly moved to full AppSec. This was early in AppSec days so we would try to go to conferences to find others and ask what they were doing, only to learn we were one of the first dedicated AppSec teams that we could find. The OWASP Top 10 had just been released and there was minimal industry content and standards, so we made stuff up based on what we as a team thought made sense. We learned quickly that it was much easier to transition from a developer into AppSec than it was to try to teach traditional network or system security how to develop code. When I was there, we never had more than six individual contributors to cover the vast majority of FedEx, so we focused on building standards, guidelines, processes, etc. to teach others how to be responsible for their own security and we became known as the “think tank” that could figure out and solve most any security problem.

Question 3 💭

As if that wasn’t enough, you also worked on the Trustworthy Computing team at Microsoft where you were part of efforts to future-proof Microsoft's products against evolving cyber threats. Could you describe a project where you anticipated future security challenges and implemented solutions that are still relevant or ahead of their time?

Answer 3 🎯

Working for the Trustworthy Computing team was amazing. Working at the headwaters for Software Security and at the scale they are responsible for was a great experience. One of the things that I was working on there was trying to threat model in HoloLens using mixed reality and natural language processing. It’s still something that I play with from time to time and would love to focus on one day. The other project I was working on that is still going strong is a process to ingest all the public open source we could collect and run it through a battery of tests including fuzzing and static analysis; responsibly report any validated findings and just run the pipeline 24/7. The goal is to do whatever we can to improve the security of open source, and that amazing team is still hard at work with that goal.

Question 4 💭

As a project lead and active contributor to SAMM and the OWASP Top 10, how do you see these frameworks evolving in the face of emerging threats? Are there any specific changes or trends that you've been advocating for?

Answer 4 🎯

These have been two impactful projects to work on. For SAMM, we have been working to keep up with changes in development but remain stable. It was originally more focused on larger companies with waterfall development methodologies, but now we have updated the model to apply to a much broader range of organizations that may use a wide range of different methodologies for development. For the Top 10, we made the shift away from raw incident counts for vulnerabilities that would keep things like Cross-Site Scripting always at the top to an incident rate similar to epidemiology where we look at how likely it would be to find particular CWEs (Common Weakness Enumeration) in a given application. Both SAMM and Top 10 have a challenge where they need to keep up with changes, but not too often. They are both used in foundational ways in the industry and if they change too often, then they will be discarded for something more stable. That’s why the Top 10 only updates every 3 years or so and SAMM also doesn’t undergo frequent major changes to the model.

Question 5 💭

You're in a unique spot working both in the cybersecurity industry and academia. How do you incorporate real-world security challenges into your curriculum at Union University? Could you share how a particular project or teaching strategy has successfully connected the dots for your students, making the lessons stick?

Answer 5 🎯

When I started teaching almost five years ago, they asked me to build a Cybersecurity program, which I did based on the security domains in the CISSP and my 20 years of experience. I’ll have my first graduates this Spring. I also am updating the Computer Science program as well to better represent what’s happening in the industry including AI/ML, cloud architecture, and similar. One of my favorite things to do is to introduce students to specific challenges that exist in the industry. For example, right after the 2020 Iowa caucuses had their Android app meltdown and hit the news, I was able to get a copy of the application bundle and a security analysis report and bring it into class as a lab project for the students to pull it apart and analyze it to see if they could replicate findings within the report. In data visualizations, we’ve gone to the VERIS database that is used for the Verizon DBIR reports and performed analysis on the data to see if we could replicate findings and build a mock detailed organization and present findings and recommendations that would be tailored to that organization they created.

Question 6 💭

Managing this dual career as a department chair at Union University and as a part-time management consultant must be tricky. How do you balance the responsibilities and demands of both roles, and how does each role inform the other? What can people in either area learn from the other?

For the students I have two primary goals; to teach them foundational principles in Computer Science and Cybersecurity, but also to teach them critical thinking, problem-solving, and practical hands-on skills so they can be contributors in their future jobs from the first day.

Answer 6 🎯

It’s definitely a challenge to balance the two. The students come first, and my consulting work is secondary. It does mean there are limits to what I can take as consulting work during the year when I’m teaching. However, I welcome the challenge because it allows me to keep working on new and exciting projects that I can incorporate into the classroom with the students. OWASP SAMM, Top 10, Election supporting technology, threat models, risk models, cloud architecture, and so on. I don’t want my experience and stories to get old and stale, that’s one of the primary benefits I can offer my students. I ran into the term “scholar-practitioner”, and I think it well represents what I’m trying to balance. For the students I have two primary goals; to teach them foundational principles in Computer Science and Cybersecurity, but also to teach them critical thinking, problem-solving, and practical hands-on skills so they can be contributors in their future jobs from the first day.

Question 7 💭

Having consulted on software security for years, what are some of the most common gaps you've observed in organizations' application security practices, and what advice would you offer to address them?

Answer 7 🎯

Some of the most common issues I see with organizations is the belief that just buying tooling for automation will solve their security problems. In my experience, one of the most important factors for solid, secure code, is culture. Culture is king, and culture can be really hard to change. The tooling is many times worse than useless if you haven’t invested in the people and process to support it. Tooling is useful to scale, but it needs context and support that only the people and process can provide.

A lot of future security vulnerabilities can be prevented with a security mindset early in the development process when working through requirements or user stories. Ask how someone could misuse this feature, or what’s the worst thing that could go wrong here; question assumptions, don’t just let them pass by, talk through both what it would look like for users to properly use your feature and how it would behave if they didn’t have your best interest in mind.

A lot of future security vulnerabilities can be prevented with a security mindset early in the development process when working through requirements or user stories. Ask how someone could misuse this feature, or what’s the worst thing that could go wrong here; question assumptions, don’t just let them pass by, talk through both what it would look like for users to properly use your feature and how it would behave if they didn’t have your best interest in mind. This is a form of lightweight threat modeling that’s immensely beneficial.

Invest in your people. Game-changing events for your organization will come from the right people in the right place with the passion to make a lasting impact. I’ve had numerous examples in my experience where the right passionate person makes all the difference. Their genuine interest in doing it right is infectious and will spread to others, so that when it’s time for them to move on to the next thing what they leave behind will continue to flourish.

‍

Question 8 💭

What keeps you motivated and excited about the field of cybersecurity? Are there any unexplored areas or projects you're itching to dive into next?

Answer 8 🎯

The potential impact and risk to people continue to increase. A lot of Cybersecurity used to be more about protection of data, financial loss, and identity theft. As technology and software become integrated into more and more of our everyday lives, the risk to people is more evident as we are shifting decision-making from humans to software. This shifting risk profile keeps me engaged and determined to help build models and frameworks to help provide a foundation for improvement and try to teach successive generations of future developers and security people to make a difference.

I want to spend more time continuing the work from Microsoft and RABET-V with a focus on figuring out how to visualize system architecture and measure what is “good” architecture. As I have free time I put more thought into it, working on what are the next steps to explore. With the amount of transition to cloud-based architectures and standardization at that level, I think we may have a chance to make major advances in architecture since we can largely describe infrastructure in code. This has been one of the biggest challenges because architecture can be more of an art than science and we’ve had difficulty being able to distill it into a format that can be read by machines.

I also starting to explore how the attack surface and risk models have shifted in the cloud space. The goal is to better understand what’s happening from an attacker’s perspective and how well the defenders are reacting. We would like to help organizations visualize what’s happening and hopefully enable them to be more proactive.

Question 9 💭

Looking ahead, what emerging technologies do you believe will play a pivotal role in shaping the cybersecurity landscape? How should professionals in our field prepare for the security challenges and opportunities these technologies might bring?

Answer 9 🎯

Every time we push into new areas, functionality is king, and security is a second-class citizen, which results in new attack surfaces and risks. AI is going to make an impact, the question that is still outstanding to me, is what type of impact. So far most of what I’ve seen is the result of someone being told to incorporate AI into some product and most are not super helpful. Humans understand context, but don’t scale well; machines scale well, but largely don’t understand context. If we can figure out how to use something like AI to bridge that gap, we could potentially see some beneficial advances in the field. Right now, we are still fighting alert fatigue, massive amounts of false positives, and in many areas security that just isn’t able to keep up with the changes in development. I would love to see security become a competitive advantage and marketed as such, but that advantage is only in niche areas right now.

I’m seeing more of the shared responsibility model between cloud providers and tenants. The cloud providers are continuing to build out shared security functionality that can be more readily utilized by development teams. It’s critical to understand as a tenant what you are responsible for, and what the provider is responsible for. Question everything, as mentioned before, making assumptions and not asking directly leads to a lot of security vulnerabilities from misunderstandings and misconfigurations. Invest the time to understand, in-depth, what you are responsible for and what are your options to secure them.

...this industry will simultaneously change in ways we never expected and be mired in issues we’ve fought for 20 years like Cross-Site Scripting, SQL Injections, and Buffer Overflows.

Question 10 💭

Lastly, as we look towards the next decade, what major shifts do you anticipate in the cybersecurity world? How do you envision your role evolving with these changes? What advice do you have for professionals aiming to stay ahead in the field?

Answer 10 🎯

That’s a serious challenge, this industry will simultaneously change in ways we never expected and be mired in issues we’ve fought for 20 years like Cross-Site Scripting, SQL Injections, and Buffer Overflows. Google’s Cloud Compromise report found that one of the most prevalent ways threat actors are compromising accounts is weak or missing authentication on remote access, something we had a problem with 30-40 years ago. We have to be careful, we are continuing to create more and more layers, and fewer people truly understand what’s happening within these layers. For me, I have the challenge of committing the time to keep up with what’s changing because I need to pass it on to my students. Academia has a reputation for being slow to keep up and in many ways several years behind the cutting edge of the industry. I’m trying to fight against that and update my coursework with current technology, processes, and knowledge. More students are coming to get a degree in Computer Science or Cybersecurity that will help them get a good job after graduation; where it used to be that they were more likely to pursue a masters or doctorate in the field. This change pushes us more into a professional school model, like business administration, than what we were traditionally focused on.

From my perspective, I would recommend keeping up with what development is trying to do, be careful of fads that may fade quickly, but we need to do everything we can from a security perspective to be part of the development process and tooling from day one. Security needs to stop chasing the FUD model, it’s only hurting the industry. Never stop learning, the only way to know how to help protect or break something is to know how it works. Study, get the free certifications offered for various cloud technologies, that should enhance your ability to keep up. Don’t lose sight of the fundamentals of networking, systems, and software; they are still there, just dressed up in different clothes.