• Cloud Control
  • Posts
  • Election Integrity and Cloud Challenges Through the Eyes of Brian Glas

Election Integrity and Cloud Challenges Through the Eyes of Brian Glas

Election Integrity and Cloud Challenges Through the Eyes of Brian Glas

Hey everyone đź‘‹

Ian here, diving straight into it on Cloud Control this week with Brian Glas—a true pioneer who's navigated everything from FedEx's AppSec initiatives to the lecture rooms of top academic institutes like Union University. With his involvement in projects like the OWASP Top 10 and RABET-V, Brian's insights are invaluable for anyone looking to deepen their cybersecurity knowledge. Get ready for a deep dive into application security's past and future, the shifting sands of cloud risk, and the unique blend of teaching and real-world application. This is a conversation you'll want to pay attention to, happy reading👇

Brian Glas, Fellow at Cloud Security Partners and Assistant Professor & Department Chair of Computer Science at Union University

Question 1 đź’­

Welcome to Cloud Control Brian! Let’s start with this: what excites you the most in the field right now? What are your current focuses or projects that you think will be most impactful?

Answer 1 🎯

A lot of my focus right now is on the OWASP SAMM Benchmark, OWASP Top 10 2024, RABET-V, and studying cloud risk projects; each has the potential to directly help improve the overall state of secure software development in different ways. The OWASP SAMM Benchmark is working to collect a datastore of maturity scores for a wide range of organizations across the globe to help answer the age-old question of “How am I doing compared to others?” We are working on bringing broad insight into what progress we are making (or not) in the discipline of software security. The OWASP Top 10 is an awareness project that has become a pseudo-standard for better or worse. We need to ensure that the list drives beneficial behavior for the industry. There will be countless talks, tools, training, etc. built to help educate people about that baseline. The RABET-V project is a process that we piloted for three years to bring a risk-based process to evaluate election-supporting technology across organizational, architectural, and implementation perspectives. Our goal is to help organizations improve the security of technology related to elections to ensure their integrity. For the cloud risk project, we’re working on figuring out how to clearly articulate changes to the attack surface and risk profile for cloud architecture and infrastructure to help people manage the changing landscape.

We learned quickly that it was much easier to transition from a developer into AppSec than it was to try to teach traditional network or system security how to develop code.

Brian Glas

Question 2 đź’­

Transitioning from an enterprise Java developer to leading the charge in application security at FedEx must have been a monumental task. Could you walk us through the challenges you faced in building the Application Security team and how you overcame them?

Answer 2 🎯

That was a crazy time at FedEx, and I didn’t have any idea how crazy it was until later, lots of 80hr weeks as manager. We were going to build an identity vault for IAM, then shifted to managing SSO, and then quickly moved to full AppSec. This was early in AppSec days so we would try to go to conferences to find others and ask what they were doing, only to learn we were one of the first dedicated AppSec teams that we could find. The OWASP Top 10 had just been released and there was minimal industry content and standards, so we made stuff up based on what we as a team thought made sense. We learned quickly that it was much easier to transition from a developer into AppSec than it was to try to teach traditional network or system security how to develop code. When I was there, we never had more than six individual contributors to cover the vast majority of FedEx, so we focused on building standards, guidelines, processes, etc. to teach others how to be responsible for their own security and we became known as the “think tank” that could figure out and solve most any security problem.

Question 3 đź’­

As if that wasn’t enough, you also worked on the Trustworthy Computing team at Microsoft where you were part of efforts to future-proof Microsoft's products against evolving cyber threats. Could you describe a project where you anticipated future security challenges and implemented solutions that are still relevant or ahead of their time?

Answer 3 🎯

Working for the Trustworthy Computing team was amazing. Working at the headwaters for Software Security and at the scale they are responsible for was a great experience. One of the things that I was working on there was trying to threat model in HoloLens using mixed reality and natural language processing. It’s still something that I play with from time to time and would love to focus on one day. The other project I was working on that is still going strong is a process to ingest all the public open source we could collect and run it through a battery of tests including fuzzing and static analysis; responsibly report any validated findings and just run the pipeline 24/7. The goal is to do whatever we can to improve the security of open source, and that amazing team is still hard at work with that goal.

Question 4 đź’­

As a project lead and active contributor to SAMM and the OWASP Top 10, how do you see these frameworks evolving in the face of emerging threats? Are there any specific changes or trends that you've been advocating for?

Answer 4 🎯

These have been two impactful projects to work on. For SAMM, we have been working to keep up with changes in development but remain stable. It was originally more focused on larger companies with waterfall development methodologies, but now we have updated the model to apply to a much broader range of organizations that may use a wide range of different methodologies for development. For the Top 10, we made the shift away from raw incident counts for vulnerabilities that would keep things like Cross-Site Scripting always at the top to an incident rate similar to epidemiology where we look at how likely it would be to find particular CWEs (Common Weakness Enumeration) in a given application. Both SAMM and Top 10 have a challenge where they need to keep up with changes, but not too often. They are both used in foundational ways in the industry and if they change too often, then they will be discarded for something more stable. That’s why the Top 10 only updates every 3 years or so and SAMM also doesn’t undergo frequent major changes to the model.

Question 5 đź’­

You're in a unique spot working both in the cybersecurity industry and academia. How do you incorporate real-world security challenges into your curriculum at Union University? Could you share how a particular project or teaching strategy has successfully connected the dots for your students, making the lessons stick?

Answer 5 🎯

When I started teaching almost five years ago, they asked me to build a Cybersecurity program, which I did based on the security domains in the CISSP and my 20 years of experience. I’ll have my first graduates this Spring. I also am updating the Computer Science program as well to better represent what’s happening in the industry including AI/ML, cloud architecture, and similar. One of my favorite things to do is to introduce students to specific challenges that exist in the industry. For example, right after the 2020 Iowa caucuses had their Android app meltdown and hit the news, I was able to get a copy of the application bundle and a security analysis report and bring it into class as a lab project for the students to pull it apart and analyze it to see if they could replicate findings within the report. In data visualizations, we’ve gone to the VERIS database that is used for the Verizon DBIR reports and performed analysis on the data to see if we could replicate findings and build a mock detailed organization and present findings and recommendations that would be tailored to that organization they created.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc đź’Ş

Latest AWS and Azure Updates You Don’t Want to Miss

Top Articles and Resources of the Week

Articles

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍

  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍

  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.