In The Boardroom With...
John Diamant is a Distinguished Technologist, responsible for Hewlett-Packard’s (HP)
internal and external product security quality programs. Diamant defined HP’s security
quality policy, methodology and training, through the Secure Product Development
program which he leads. He is the lead inventor of HP’s industry-leading
high efficiency, high effectiveness, and enterprise scalable security quality improvement
methodology – HP Comprehensive Applications Threat Analysis (CATA). Diamant is also
responsible for offering this leading security quality improvement methodology service to
SecurityStockWatch.com: Thank you for joining us today, John. To begin, please tell us a little about your background.
John Diamant: I’ve been involved with cybersecurity for over two decades, from a variety of perspectives, including governance, product development, and security services. Over the years, I have observed significant changes throughout industry to accommodate the evolving threat environment. I am an HP Distinguished Technologist and serve as HP’s Secure Product Development Strategist, responsible for creating and leading the company to secure its products and applications, in coordination with each of the individual business groups. I’m also the Application Security Strategist for our Enterprise Services U.S. Public Sector business, and lead our application security offering to architect and design security in during the development phase.
SecurityStockWatch.com: You have an extremely interesting role within HP, in that you are responsible for the world’s largest technology company’s internal product security quality program, and also to provide guidance and lead security quality services for customers. Can you elaborate on the unique vantage point this provides you and your team?
John Diamant: Certainly. From this perspective, I have both a strong theoretical and a very pragmatic view of what it takes for a large enterprise to secure applications and products, as well as how large of a challenge this can be. Broadly speaking, the IT industry until now, has failed to adopt quality lessons that will help ensure that information assets remain safe. While cross-discipline knowledge transfer is often a challenge, it must be utilized in order to apply the highest security assurance. Enterprises must learn to require, architect, design and build security into applications at the beginning of the process, rather than expecting to only reactively fix it during the security testing phase.
SecurityStockWatch.com: Cybersecurity threats, attacks and breaches, continue to be front page news on virtually a daily basis. What is your perspective on where these attacks are aimed?
John Diamant: Cyber attacks and breaches are aimed at a wide variety of targets. While many attacks remain focused on networks, a high percentage of these are thwarted by firewalls, anti-virus, intrusion detection /prevention systems, and so forth. But the more compelling question is examining where the successful attacks are typically directed.
By and large, most successful attacks today, approximately greater than 70%, are targeted at applications where inherently, most vulnerabilities reside. As the notorious bank robber Willie Sutton was quoted as having said, “I rob banks because that’s where the money is”. In today’s technology-driven world, our critical and often sensitive data is managed by applications. Applications continue to represent one of the weakest links in enterprise security, often full of vulnerabilities. It is also important to note that while application developers are concerned with translating requirements into code, they can’t all be security experts. Developers, being human, will occasionally make mistakes; therefore, leaving applications security only in the hands of developers, is a risky proposition. You can’t rely only on testing scenarios to find and fix all of your existing application vulnerabilities.
SecurityStockWatch.com: OK, since applications appear to be a target of choice, do enterprises typically have their cybersecurity priorities straight?
John Diamant: Yes and no. It’s certainly important to invest in traditional security (firewalls, infrastructure, anti-virus, and so forth), but clearly we see an underinvestment in application security as it typically represents less than 10% of security spends, directly resulting in a weak security link. Reactive security, such as security patching and security testing, remains important not only as quality controls, but also from the security standpoint. However, if enterprises continue to build their entire security quality model on just reactive measures, it should not come as a surprise that successful attacks will continue to dominate the news. This said, IT professionals must proactively require, architect and design security in up front. Building security in early combined with the commonly performed reactive security testing and patching as appropriate, can help enterprises get ahead of this dilemma. This is true particularly in light of costs. Your overall costs go up by orders of magnitude the later in the lifecycle that you detect and fix a defect (e.g. 30x-100x or more, post-release versus building in security as part of the requirements and architecture). Overall risks are greatly reduced when vulnerabilities are eliminated up front, before exploits can occur. HP’s Comprehensive Applications Threat Analysis (HP CATA) addresses this issue proactively by requiring, architecting and designing security in to the process very early on in the lifecycle.
SecurityStockWatch.com: So can you please walk us through what CATA does to help enterprises?
John Diamant: CATA addresses the application security issue from two distinct approaches. First, CATA is used to map the security regulations and develop a gap analysis of regulations, best practices, and other security requirements that apply to individual applications. Secondly, we take a high level architecture view for threat modeling and attack surface analysis, used to identify weaknesses in the architecture and design, which correlate directly into security vulnerabilities that would be coded or configured into an application. Improved architecture and design guided by CATA can build security robustness and resiliency in to reduce number, probability, and severity of vulnerabilities.
Ideally, CATA should be applied as early as possible, in requirements analysis and during architecture and high-level design work; whether that is for the first release or the tenth update to an application or product. Few applications are greenfield and many are in various stages of maintenance. CATA works either way. Additionally, CATA can be applied as a type of Independent Validation and Verification (IV&V) of applications which aren’t currently being updated, to better understand their security requirement gaps and identify the level of risk associated with undiscovered vulnerabilities.