👀 CyberSec here. I listened to your points & I can see why you made this video. Most of what you pointed out is true. HOWEVER, regardless of automation, we will ALWAYS require human oversight at the most basic level. Cybersecurity in its current form will evolve to ONLY DevSecOps. All disciplines of tech (network, sysadmin, AppDev, cloud engineering, etc) will merge into one-due to automation. DevSecOps will survive them all. Ai / ML will require continual oversight. In short, DevSecOps is the FUTURE of tech. No death in site whatsoever.
Essentially we are now building the kind of tooling and guidance for cybersecurity that we did for safety in the aerospace engineering field. It's not on engineers to remember a giant list of vulnerabilities and how to mitigate them, they have a set of standards (including test guidance for things not covered explicitly by those standards) that make sure they consider the vast majority of possible issues. That being said, having companies actually follow those is another matter as recently observed with a certain manufacturer...
So, frequently rebuild all apps/containers/hosts/whatever to get "latest", (the patched versions... that are then immutable). Move version micro-management and churn out of dev hands. Personally a fan of this, but it does have some abrasion points IME: - Doesn't solve for individual dev saying "I need froxbozzle 1.3.17, because my code breaks with 1.4.18. Why should my code have to work with patched versions? PROVE to me that I should have to keep up." - ...or manager saying "Why are devs still getting tickets to maintain their software, I thought we got rid of maintain-to-CVE-reporting?" - Or lots of angles pushing back with "but hard versions are STABLE, pinning is a BEST PRACTICE, why are we introducing risk by auto-patching to newer things."
👀 CyberSec here. I listened to your points & I can see why you made this video. Most of what you pointed out is true. HOWEVER, regardless of automation, we will ALWAYS require human oversight at the most basic level.
Cybersecurity in its current form will evolve to ONLY DevSecOps. All disciplines of tech (network, sysadmin, AppDev, cloud engineering, etc) will merge into one-due to automation. DevSecOps will survive them all. Ai / ML will require continual oversight.
In short, DevSecOps is the FUTURE of tech. No death in site whatsoever.
Essentially we are now building the kind of tooling and guidance for cybersecurity that we did for safety in the aerospace engineering field. It's not on engineers to remember a giant list of vulnerabilities and how to mitigate them, they have a set of standards (including test guidance for things not covered explicitly by those standards) that make sure they consider the vast majority of possible issues.
That being said, having companies actually follow those is another matter as recently observed with a certain manufacturer...
I'm starting school for CS so this is very helpful! Thank you for making this video
So, frequently rebuild all apps/containers/hosts/whatever to get "latest", (the patched versions... that are then immutable).
Move version micro-management and churn out of dev hands.
Personally a fan of this, but it does have some abrasion points IME:
- Doesn't solve for individual dev saying "I need froxbozzle 1.3.17, because my code breaks with 1.4.18. Why should my code have to work with patched versions? PROVE to me that I should have to keep up."
- ...or manager saying "Why are devs still getting tickets to maintain their software, I thought we got rid of maintain-to-CVE-reporting?"
- Or lots of angles pushing back with "but hard versions are STABLE, pinning is a BEST PRACTICE, why are we introducing risk by auto-patching to newer things."