There is an endless supply "infosec specialists" and "ethical hackers."
But there is a massive shortage in motivated experts that ensure packages are up to date and fluent enough in code spelunking to ensure the app isn't trusting user input or allowing privilege escalation.
There's also a shortage in technology leaders willing to spend money on the mundane aspect of security. It requires regular work, not compliance effort and periodic audits/pentests that check off boxes.
Software complexity in most companies has exploded. Nobody is doing anything to try reduce or manage complexity so it's only getting worse. The more complexity there is, the easier it is to find vulnerabilities.
>>Nobody is doing anything to try reduce or manage complexity so it's only getting worse.
I disagree, I see a number of large corporations starting to standardize either 1) their entire development stack from IDE all the way to how the code is deploy 2) Reengineering entire languages to have one language be used e.g Quartz at BofA 3) at the very least, companies are starting to standardize their middleware stacks, to at least avoid the configuration related issues of having a development team managing that.
While I do agree, that the complexity of third party libraries has exploded and is increasingly difficult to manage, I'd say companies are well on their way to standardizing that, with tools like Nexus, SonaType, Blackduck, etc.
We're obviously a long ways away from being even 75% effective across the board, but to say nobody is managing the complexity is a bit short sighted :)
We're trying to address this. If you've got sometime I'd really like to compare notes on this and learn how you guys work day-to-day. We're leveraging Osquery to asses the various aspects of systems to try and build threat models where risk cascades as systems change. To help facilitate automated reporting. Alongside the traditional mundane cybersecurity day-to-day activities.
Things are out of date because things that are working don’t get money and time allotted to them to update them.
People still run Windows XP because there’s a piece of software that never got updated to run on Windows 7, much less Windows 10.
There’s those Java apps that are stuck on Java 6. Websites that still need IE6. Things that use the unsafe versions of stuff like HTTPS...because Visual Basic 6 doesn’t support them out of the box.
I'm out here imagining all the unethical hackers drooling over the sweet sweet vectors that are snap and flatpak. Unfortunately the qa and auditing aspects of distro packaging seem to be taken for granted, and the resources for that are surely not sufficient to counter motivated adversaries.
Do enough people actually use Snap or Flatpak (especially at large companies) to make it worth anything? I’d imagine that most people would just use real distro packages and stuff compiled from source instead of trusting Snapcraft or random Flatpaks off the Internet, especially in production.
But there is a massive shortage in motivated experts that ensure packages are up to date and fluent enough in code spelunking to ensure the app isn't trusting user input or allowing privilege escalation.
There's also a shortage in technology leaders willing to spend money on the mundane aspect of security. It requires regular work, not compliance effort and periodic audits/pentests that check off boxes.