This guest post was written by Dr. Edward G. Amoroso, Former SVP and CSO of AT&T; Current CEO of TAG Cyber, LLC.
I had a physics teacher back in high school who would respond – when asked about some lab experiment we were planning – that “the proof is in the pudding.” There was no Google back then, so it took me a while to figure out what the heck he was trying to say. I eventually figured out that he was trying to tell us that you needed evidence that something was so by actually checking it out – that is, by eating the pudding. Or something like that.
Many years later, I remember thinking of this when trying to demonstrate and prove security properties in programs. I even remember repeating this phrase a couple of times – to the chagrin of my computer science graduate students at Stevens. I would smugly state that if they wanted to know whether their tool, code, system, or whatever was secure – well, then the proof would be in the pudding. The fact that most of these fine graduate students were non-American probably threw them for a double loop. I’ll bet they were wondering why I was referring to my desert.
Anyway, in researching my 2017 TAG Cyber Security Annual, which was released today for download, I spent time learning from my good friends at Prevoty about how to secure applications. This is one of the great problems in modern enterprise security and the Prevoty folks agreed to help me. After a couple of sessions, I soon realized that application security was dependent on something called Runtime Application Self-Protection or RASP. Now RASP has all kind of cool self-learning techniques where the execution environment reconfigures itself to respond to bad conditions. I always figured this was futuristic, until the Prevoty team showed me it was available now – which is good news.
But as I learned more about RASP, it reminded me that application security, when done right, needs to be more than just doing a static check of the source code (which is a good idea, by the way). And it needs to be more than just ensuring a decent software process through a maturity framework (which is also a good idea). No, application security requires in addition that during the runtime execution, the security solution must show that it can actually deal with a dynamic problem. It needs to demonstrate this by doing it.
I went back and looked at my notes during my first Prevoty learning session. And there in the margins was the magic phrase: The proof is in the pudding. I guess old sayings from high school teachers die hard – or maybe die never.