Secure software engineering: The sleeping giant in the GenAI Era

So how are you doing? I hope everything is, is fine. You've got now a lot of traction with, you know, all the different solutions and all the different concepts about cybersecurity. And I'm still not sure if this, this is cyber revolution, cyber evolution, but let me ask you a question. Having so many different areas of cybersecurity, you know, where we found the radio solution, is there any technical problem in cybersecurity which we can solve today? Think about that for a moment.

Like I'm just, you know, when I was a kid I was very much excited about space, going to the moon and you know, the, the moon landing itself. And yesterday night, a, a small dream came true. I just had the opportunity to have a dinner with a president of the European Space Agency and Alexander Gellar and some other folks in this space. And it's just amazing to see the problems they're trying to solve. Really putting this giant solar, you know, panels back to the space and then trying to beam energy down down below the earth.

A lot of technical problems which have to be solved for us in cybersecurity. I guess it looks a bit different, right? Cybersecurity is not really a problem of, you know, a lack of solution because we know how to build secure and resilient question systems. Cybersecurity is a problem of execution.

I mean, we always fell collectively to adopt security by design principles, install patches, you know, install security controls and so on. And when I started my year back at Deutsche Bank 2009, that was my first task as well, just to build capabilities to aggregate a lot of vulnerabilities, late patches, misconfigurations, and accelerate remediation. And now 15 years after, I must say I felt, and I think we felt as an industry to be honest with you, right? Because the situation looks much more worse than it was looking 15 years ago. And the questions of course right now is with Jenny.

I, I mean a lot of people are drawing this sort of dystopian future or utopian future. Which pill are you going to take? The red pill, the blue pill.

But again, I think looking as well the history of cybersecurity, it was always the cat and mouse game, right? Every time the question was who was the first adopting the cybersecurity innovation rather than, you know, who had the advantage initially. And I think that's what I would like to really focus on in the next 20 minutes and try to show that there's a chance to bake in security with this new cycle of innovation from the beginning on rather than really bolting this on top of that and even more. I think this is a, not just a necessity, it's a must we have to do.

And now to do that, I'd like, and please stay with me, I'd like just to focus a bit on some things which never change in cybersecurity. You can call them first principles or some forces in cybersecurity, which we've always talked about. I'm not sure if you'll agree with these five forces I'm going to show, but I'm pretty sure you're going to remember them.

You know, later on if you're going to meet at the bar, if, if you don't remember, I'm gonna, you know, buy your beer for sure. All right, so it's a deal. Let's start with the first force, which is more force you are familiar with more slow of of course, or the, you know, the exponential growth of, of the compute and the same type of force we're experiencing in cybersecurity. We can't change that. The attack surface is growing exponentially, right? And this time it's not just about the number of devices, it's about the software, it's about the code, right?

Everybody can code today software is eating the road like Mark Anderson, you know, coined a couple of years ago and AI is eating the software and we see already with a lot of new technologies like you know, GitHub copilot or the all the different open source frameworks that you can accelerate programming. But on the other hand we see that still 40 50% of this code is buggy and most likely it's going to stay as well this negative. Let's see how it's going to turn around.

But what we need to take from that is we need to prepare for this proliferation of, you know, self-developed co software and code going forward. Second darvin's force, I mean we're all familiar with Davin. Davin applied to business means we have, our businesses have to adopt to the innovation, otherwise they're going to die, otherwise they're going to risk this, you know, extinction of their business. So we have simply to understand how can we support the business. And today we see that like most of the organization already, like around 80% are deploying updates on a weekly basis.

And still for cybersecurity we're trying to fight with hundreds, 150 days, oh sorry, hours of average as well on days of average to, to fix this vulnerability depending on the organization to be honest with you. So question here is how can we really, how can we really, sorry I didn't click further. How can we really adopt to the speed of this innovation from a business point of view?

But for us, the question is how can we move with our security at the speed of engineering Right now, looking at the last wave of innovation, the cloud sync, looking at the recent stats, we just did an analysis with unit 42 driving the attack surface and now with some of the largest companies out there, we see that 80% of end of life systems are present in public clouds rather than on-prem environments. I mean this is the most modern environment, right? We're building on and there's already 80% of end of life systems. So we are not really keeping pace with this type of wave.

Now the guys who are keeping pace are definitely the attackers. And don't get me wrong, I'm not trying to suggest that we are fighting against robots already, but just looking back at how fast the attackers were in the past, like coming from financial services, I remember one of the first threat actors we were dealing with was carbon. It took about a year, you know, from initial compromise of a bank until they reached the goal, got the money out or the date out just two years ago. It was 44 days last year, 30 days this year, five days.

And we see attacks which are just happening within hours form initial compromise until the attackers are getting all the data. And now there are multiple data points we can discuss here in this space. But I think just looking a bit ahead, what can happen with gene ai, there's a lot of nice research about that, but just try really to map here what can happen. And of course yes, the attacker can use now large language models for you know, improving the recon, accelerating the recon, trying to drive up the phishing.

We see already, you know, growing phishing numbers 3000% and mware generating mware can be generated of course much more quicker. Deep fix is becoming a problem. Fasting tools are being accelerated up to 30 40% you can reconstruct out of the sudden very quickly patches and build directly exploits out of that. All that is becoming possible. And of course the attackers can also use this at the latest stage of the attack by, for instance, understanding the attack path or trying just directly on-prem, understand what kind of data should they leak out, right? Just to be more effective.

All that is possible. But on the other side, we can leverage this technologies as well, right? We can do the same. We can just use our phishing simulation tools, use our tailored systems, use our XDR capabilities going forward. Two things which are going to become a bit more stressful for us, for my point of view is obviously how we authenticate content in general, right? We see already the first attacks, deep defects happening against, you know, German companies, but in general trying to understand how we authenticate voice.

You know, video going forward is going to be definitely a big problem. On the other hand, what is going to happen now with attackers who can have this capability to find much more quicker vulnerabilities to reconstruct patches, build exploits, and what is about all this self-developed software, which is going to be buggy as well, that's going to be a stressful point just applying this to the current landscape of infrastructure vulnerabilities, not self-developed vulnerabilities.

Also based on our re recent research, we see that some of the recent vulnerabilities you see in dark blue, the Atlassian vulnerability and I think two of the Microsoft vulnerabilities, they've been exploited not within weeks or days, but just within hours after the publication, right? And very often it's, I'm not talking about the publication of the exploit code, but the publication of the patch itself. So that's worrying and we have simply to adjust to the, to the pace of this attackers.

Now we are adjusting definitely and deploying a lot of controls, but on the other hand we have to fight as well against this guy Frankenstein's force, right? We've all seen controls dying over time. Entropy was controls is a big problem. That's why we're trying to adopt principles like, you know, sweat or wear controls. That's why, why we're trying to integrate, we see the emergence of SS E across networking space, XDR across secure operation space and this sort of integration, it didn't really happen for application development yet. The signal to noise ratio is just far too high.

How many times did you send unvalidated findings from a vulnerability scanner back to developer teams, right? And then really trying to destroy the trust with those guys. Looking just as at statistics, there are many data points, but only 15% of all the vulnerabilities found in production systems are really used by the application and then only 2% of them are exploitable. And that's worrying. This is pretty much leading to the entropy of controls dying over time. And now the last force is scali force.

Now if you have to, all of us have to deal with with Scully and you know, regulators definitely want to get always inside, especially in the financial service industry. And don't, don't get me wrong, I feel regulation is very important for cybersecurity.

But again, there are two big problems. The first problem is the population of, you know, and the massive amount of regulation hitting us right now. I think the latest numbers were like 6,000 regulations in the financial services space or regulatory requirements. And on the other hand, sometimes regulators tend to deep dive in a very specific topic, not really understanding the entire architecture, the entire impact. And that's boring.

And just looking at what is going to happen next, like the first three waves of, you know, regulations, the first one really focusing more or less on non cyber. The second one focusing on data protection with SOCs, GDPR coming to life now we're in a wave of critical infrastructure being regulated. Dora s oneness two. And what is now being put in the in place on the horizon is things like the cyber resilience act since things like the AI act where the regulators are going to deep dive into how we develop our products.

So again, secure software engineering is being stressed here and looking at all these forces, I think we can summarize that secure software engineering is definitely in the spotlight of all of this five forces. And we have to understand how to deal with this topic. How can we really this time not repeat the mistakes we've done already in in the last waves of cybersecurity, right? How can we do that? And perhaps we should initially, you know, yeah, face a elephant in the room and are you ready for the elephant in the room? It's really that we've lost the empathy to software developers.

And if you've been a software developer, you understand what I mean? The challenge is that we still try to flat them with a lot of unvalidated findings with a lot of manner work and they simply lose trust in us, right? And that's why they don't want to deploy anything on shift, laugh and deploy any controls at the left side of the things. But now how would a, you know, perfect road look like? Let's quickly just summarize that. What would we, from technical point of view like to see in our architecture? And the beauty about cybersecurity is we've got always acronyms for everything.

Like most of us are doing, you know, securing the runtime with posture management, with container security solutions and so on. I think that's, that's pretty much standard.

Meanwhile, we are trying to secure the pipeline and shift left and understand how can we now reach the developers? How can we automate operationalized threat modeling, you know, understand our dependencies. SA does all this. Controls are becoming more important often already deployed since solar winds. When the SolarWinds, when the standards well that, you know, the pipeline itself can be compromised, the developers can be compromised and then out of the sudden malicious code can be very quickly, you know, affecting all of our 18,000 customers, like in the case of SolarWinds.

So we have to secure the pipeline itself as well. And of course the last aspect is we wanna make sure that we, you know, the developers don't bypass our pipeline as well in case we have the secure pipeline. How do we ensure that the nobody else and the developers can't deploy anything to production? Now what's the best way to do that? And I think the best way is to create a win-win situation. And to do that we have simply to anticipate what would help developers to be more productive. Now the best way to do that is just to look at the research around developer experience.

There's tons of research around that from GitHub from, this is a recent paper which pretty much, you know, brought it down as well to the three disciplines from University of Victoria and Index, which identified the developers, developer's productivity can be increased by three specific arrears, which is feedback loop. How to ensure that feedback loop is fourth context, automated, reliable, the cognitive load.

How do, how do we ensure that developers, you know, who have not just to deal with writing code but configuring infrastructure, quality management, security, that they are not overwhelmed with a lot of data. And third is umer is the, the flow state.

You know, if you're developing software, you are very often just in your, you don't wanna get calls from security asking about what is lock four G again, are we using that or not? Right? And now we can apply this to cybersecurity as well. And I've just tried to map down a couple of principles all of us are using from time to time, but I, I don't think that we're doing this in a systematic way and that's, that's very important. First to optimize the feedback, feedback loop, the most important aspect and that's a free one, right? For everybody.

Integrate into the developer's ecosystem as much as possible. Use the tools whenever possible, right? This way you're not going to interrupt them and ensure that you stay in the floor as well. The biggest challenge for of us is to create context, to take responsibility for all the findings we're sending back to them to make sure that we, you know, track ourself as well based on the false positives we're sending back to them.

And to do that very often, it's not just enough to have a look and insight on the production space and you know, running scans there, but also understanding the code itself, understanding how the code being used in application and you know, create this context around that. And what I've seen as well working really well, especially in the, in automotive industries, provide options. Sometimes you might provide a very secure pipeline but developers have to accelerate and they don't wanna wait, you know, entire night just to get the, the feedback.

If everything was fine, they wanna get this in one hour, so provide them options, a less secure pipeline so that can get this feedback much more quicker. Second is reducing cognitive load and then again, I'm supporting the survey that all technologies, all languages, languages should be supported simply because we don't have the privilege to choose the developers nowadays. So on extreme scenarios, if you have a Java developer asking them to do Python is difficult, so try to support everything but on the other hand, double down on new security defaults, that's free, right?

That's something we can all do much more better. And then there's this new trend as well to provide as well environments as a code and secure environments. It's taking a couple of hours from developer to set up an environment. So if you can help them with this and industrialize this process, that's going to be amazing. And then obviously out remedy whenever possible, you know the manage the entropy of the controls, so shut down controls which are not working and so on. The last point is that's more on us how to optimize the flow state.

We are still sort of driving security as click ops, we're using GUIs and cybersecurity. And the question is just how can you automate your interactions with the developers as much as possible, right? How can we evolve from click ops to DevOps and measure us as well on this point of view? And I think one of the best arguments here is controls is court.

There's meanwhile a lot of standards like OPA and so on where can define identity, where can define runtime controls, where can define configuration controls directly at the court level and developers can consume and pull this in and obvious, I think one big point is, you know, this trend as well that more and more companies looking as well not just an application security but evolving into product security. So I think there are a lot of components we can, you know, use and start learning to get this pool effect for more cybersecurity and we can learn a lot from that.

But the question in the room is, is always of course right now how can Jenny I help us, right? Well Jenny is going to fix everything or not. Now I'm working for Wend and yes of course general I can help, but it'll help just in a couple of use cases.

So we tend to talk about precision AI for many of the other use cases and I, I just took a a picture from Andrew, Andrew Eng, who's a professor at University of Stanford and who showed this like for the general use cases and I feel this is pretty much, you know, this is a really good application for cybersecurity as well because you can use copilots. We're very excited with copilots around, you know, software development because you can find out of the sudden now a lot of things in unstructured data, unstructured data from core to, you know, to production.

You can deploy or you can configure your controls much more better as well. With copilots, it's amazing, we are going really to drive a lot of remediation, but on the other hand, what's about some other controls, think about like traffic inspection where you have to have real decision, real time decision to be made. You can't wait seconds or even milliseconds, you have to do it directly at the beginning. You can't hallucinate the waste threat, right?

This is where just classical supervision learning is going to be very important, which requires data, labor data and which requires as well full data stack across a specific problem. Now to summarize, by the way, and I don't see my time here, but just to summarize those three points, I think gen AI is definitely changing the game for a lot of industries and arrays and domains, but it's not going to change the cybersecurity cat and mouse game.

We have a chance, we have a chance to use this wave of change to double down on security engineering and to really create as well move our security at the speed of the engineering. And I think developer experience is a really good north star for us just to try to understand how can we create this pool effect for security being ingested more by developers and then before Carson takes over, you know, I have to talk about my dream, right? Like building rockets and and so on.

And that's a very nice analogy I think to, to finish this off, you know, if you think about the moon landing, what is your first reference point? Leal Armstrong very often, right? He has a hero who really made it possible and you know, who went as a first human to the moon.

But again, he definitely deserves his place in history. But again, what's about the thousands of scientists, s engineers and who build the rocket if it would be not new, but somebody else now try to apply this to cybersecurity. The biggest challenge in cybersecurity we're having today is to get the right data and to get the right foundation controls and AI would often come for free because once you have that, applying AI on the right data set is pretty easy. I would say with this I would like just to encourage us to build, build proper rockets and thank you very much.