Jeff Costlow is the security architect for Tempered Networks where he is responsible for implementing security into all aspects of software development. As a software security specialist, Jeff has designed and implemented secure software and has successfully led engineering teams specializing in host and network security. With a deep understanding of a secure development lifecycle and many years of successful program design and execution, Jeff’s work has positively impacted the software engineering market across the areas of design-time threat modeling, peer based software review, security code scanning, and vulnerability response. He took some time out to speak with us at LIFARS.
LIFARS: How did you get started in the field and what significantly stood out?
Jeff: When I decided to move to Settle, looking curiously enough at the jobs wanted ads, I found a Cerberus vendor, doing security at the time. It was all about authentication at the time. Authenticating people was the most important and still is, of course. We were more worried about the people. We were still forming much of the Cybersecurity field at the time. I remember, very distinctly, circling a job offer three times in the help wanted ads because it had to do with cryptography. I took that job and work there a couple of years. To proceed, I believe working in Cybersecurity, is working in a new frontier. It feels like we still haven’t figured it out, yet. It is as if at one point we had gotten really good at building bridges because we had built a hundred bridges and now we knew what the best practices were. To bring it back, we got some decent best practices for software engineering. We are not great at building the security part of it, yet.
LIFARS: What do you believe to be a hindrance to the progression to “the things that need to done?”
Jeff: It is a lack of education on the part of the engineers. They are engineers, they want to solve a problem in the first place or they wouldn’t be engineers. We have gotten to a point where we now have some very good tools and frameworks, but these have not necessarily been built with security in mind. While we are getting better at that, it is more an engineering problem. We didn’t used to know how to build bridge and now we know how to build bridges that don’t fall down, but we have a whole another layer with computer security or software engineering. Many times those bridges that we have built have alternate purposes. When it comes to software, a bad guy figures out how to exploit those alternatives or at least cause the software to do something it was probably meant to do and it probably does it well, but you didn’t necessary want it to do that for your piece of software, it was just left enabled. Work needs to be done on making libraries secure and making them easy enough to use so that everybody can gain the advantage of it. The problem is you might be using a version of OpenSSL from four or five years ago and is that the best practice today? Well no, it is probably not. It goes back to what sort of complexities can we remove out of the system can we design when we sit down and do our design work there’s a common rule of software engineering it will cost you $1 to find the the bug at design time, it cost you $10 to find it during the construction time, $100 during the testing phase, and $1,000 during the vulnerability response phase. The engineers want to solve the problem, its just that they may not have a complete understanding of everything that they’re putting together because the sheer complexity of the system of building today.
LIFARS: What are your views of automation in the cyber security industry and the steps being taken to automate certain steps?
Jeff: Let’s say that we’re going to build in five or six layers of security we have to rely on the complexity of the system that someone else built. Were talking about post-base security. What happens if something comes into your system and accidentally disables a layer, you’re not going to have to want to have to test for that every single time. You’re going to have to build some automation around that to actually test that and making sure that all those building blocks are doing what you want them to do so. I do view automation as one of the most important things in the software development process.
LIFARS: What are some common misconception on requested information by government, private, or corporate entities that are not required to be disclose?
Jeff: The fact that everybody uses Facebook and Linkedin means everyone willingly gives up their data for convenience and various social reasons. Then, they no longer have any control over that data and it’s a very complicated to track. Wouldn’t it be nice if you type into a form a piece of personal information that there was a legal disclaimer that said ‘thank you for your data, here’s how we’re going to monetize the data that you just typed in.’ When you type in your address you can receive a $25 coupon, so clearly they expect to make more than $25 off of me in some way. It’s pretty interesting thought to think about it in that perspective. It’s not free. You can even do this in a lot of different directions you can say what is Google’s annual income and its advertising and divide that by 300 million Americans. You get a tremendously large number even if you could come up with just the domestic US value it’s still a huge number and the ‘monetization’ is off the people and its not off of anything other than their monetizing people.
LIFARS: Where do you think the future of in the next five years of Cybersecurity industry will be?
Jeff: I think we’re going to see a lot of cryptographic attacks like we’ve already been seeing a lot of them in 2015. We’re going to see a maturing of the crypto industry. The other thing is we’re going to see more people that just go out and and start attempting to hack or attempting to break the security of systems. If if you read something like the full disclosure mailing list, which is where a lot of vulnerabilities get posted, there’s just a lot of software out there that quite clearly hasn’t gone through a rigorous security evaluation. So I predict more people getting into the Cybersecurity game and and finding vulnerabilities in common software. We are going to see a lot more phone-like features and applications that are self-contained come on to our computers. For example, an application only has certain access and that is something that we haven’t been able to do very well on our own laptops. To decide that this particular application sees only this data. The commercial interest versus the nation state interest is already being talked about. The federal government is asking if there can be a crypto backdoor for nation security purposes, however, the companies are saying no. They want the trust of customers and trust is an interesting precariously balanced point. How much do we trust them and how much are we willingly giving them? It’s going to be an interesting thing to play out as we move ahead, but I think that’s one of the areas that people are going to understand a little bit more.
Contact Jeff Costlow on LinkedIn.