The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

DevSecOps.... We Cyber Security Pros Love Rebranding!

See Article Here

I think it was 2013 when I first heard the term “shifting security to the left” in reference to coding applications. The premise is as true today as it was six years ago, it is cheaper to take the time to fix a problem while in development than to try to fix it post production. However, it doesn't appear that much shifting has occurred. The attached article calls “shifting to the left” DevSecOps, but the meanings are the same. 

I have dealt with several incidents where the root cause ended up being a non-patched application. After the dust settled, I would ask the coding teams, if we are an agile shop, why are there security vulnerabilities that aren’t being fixed for months, some for years? If you are not familiar with the Agile methodology, simply put it is a faster way of coding application and if something breaks it’s easier to fix because there aren't multiple bureaucratic steps that have to be taken to get the job done. 

However, when I would inquire about fixing vulnerabilities in applications, those same Agile teams would scream, I can’t patch this vulnerability because it might break the application! That always left me scratching my head because it just didn't make much sense. If it breaks just fix it right? 

I don’t know, it seems we as Info/Cyber Security professionals are doomed to constantly talk about the same challenges we have been talking about for years, the frustrating part is that we have the answers to many of our questions, but still not having much luck shifting into gear.