Interview with Deepayan Chanda, Cybersecurity Architect and co-author of Penetration Testing with Kali Linux.
Reliability, accuracy, architecture and resiliency (RAAR) make up what Deepayan Chanda calls the four pillars of sustainable cybersecurity. In this interview, he explains how these principles apply to DevSecOps.
Q: How did this model of sustainable cybersecurity first come to you?
I realized that nothing in cyber is sustainable. To maintain security of software means a lot of patching and updates to fix bugs and apply security controls and configurations. Each patch can create new problems, and over time, those impacts could have a cascading effect that renders these applications unusable, not to forget at the same time that the misconfigurations can lead to nasty security breaches too. So, we bring in more software to create layers of security to counter the cascading problem. There are so many layers to secure, and so many products installed, that the current model is not sustainable over a longer period.
Q: How does the same mode of sustainable cybersecurity (through RAAR) apply to DevSecOps?
When I started working on this model, I had cybersecurity mostly in mind, but I soon came to consider how it could be used to improve releases of reliable, bug-free code. From the lens of DevSecOps, reliability, accuracy and architecture all apply—and these pillars also feed into each other.
But let’s start with the hardest pillar first: Resiliency in code, which is the missing piece in most organizational approaches to cybersecurity. Software needs to be resilient enough to recover from disruptive events without much impact on the operations it was performing. In a way, applications already have a layer of resilience because they can usually be quickly restored in the case of a disruptive event. However, in software, resiliency is often confused with availability. For example, an email system goes down, but there’s a fallback mechanism to recover the email held in the system.
Pro Tip: Intel’s Collaborative Research Institutes defined challenges in sustainable security and safety for embedded OT such as in smart cars, and common applications like cryptography.
Q: How can developers apply RAAR to code development and bug fixes?
Bugs relate directly to accuracy. If the code is developed accurately, there are no bugs and the software does what it’s supposed to do, and it does so reliably. A good example is software in copy machines. At a micro level, there are codes in it which make it work, which never fail and keep on running year after year. But even with printers and copy machines, there are bug fixes and updates. And code is everywhere. We spend a lot of time patching vulnerabilities in code that’s already developed, which is time-consuming and costly. So, accurately designing programs and writing code can drastically bring down the bug issues, making security more sustainable in the longer term.
Q: How does the RAAR model apply beyond practices that DevSecOps pros already follow, such as code scanning and review?
The root cause of these problems is usually the architecture. Architecture comes first. The software, network, design, and business requirements all go into the architecture planning before any code is written. Sustainable architecture designs should support a longer application lifecycle. Code is then written to that architecture as accurately as possible, creating an application that does what it is programmed to do without failing, which circles back to accuracy and resiliency.
Q: What about architectures that are cloud-based, including architecture as code?
This RAAR model should fit on prem, in the cloud or hybrid. It’s easier to be resilient in the cloud than on prem because there is an array of systems behind cloud applications, so they can usually keep running in the case of a disruption event. It helps that most of the software in the cloud is microservices based, and microservices usually keep running independent of each other. The container-based nature of cloud development is also uniquely resilient. Containers are automatically spun up and workloads are transferred based on bandwidth, for example.
Q: Where do you see sustainable security helping in the future?
It will take time, money, and effort to update and improve some of the architectures that organizations are already invested in. But a well-implemented resilient, accurate architecture that is reliable can last longer with fewer bugs, vulnerabilities, and ultimately fewer patches and updates. Enterprises and their software vendors developing the products and maintaining patch and update processes will save money over time.
Q: What are your plans for your RAAR model?
My next phase is to spread out, evangelize, build more champions and consensus in the industry. This will include building more use cases that will help leaders understand how to transform cybersecurity practices for business benefits by adopting sustainable cybersecurity principles.
