After spending more than 20 years in the cybersecurity field, David Lindner is ready for the industry to change.
As chief information security officer at cybersecurity firm Contrast Security, he’s pushing for fellow CISOs to be more early-adopter enthusiasts than old school security practitioners. Having spent a good portion of his career in security, he thinks the industry needs to change by using artificial intelligence before a major cyberattack forces its hand.
“Security is just slow to adapt sometimes,” Lindner said. “I think we’re on the precipice of something different. I really think people are going to have to start doing things differently.”
For years, the software ecosystem has been infested with bugs, leaving malicious hackers with a buffet of options to exploit. Meanwhile, software continues to be churned out at an ever increasing pace and rife with known defects.
Lindner warns that developers using artificial intelligence to speed up software production will increase the amount of options that hackers can attack as well as increase the number of vulnerabilities. The answer is to fight the consequences of artificial intelligence with more artificial intelligence, Lindner said, to help organizations determine what their cybersecurity priorities should be.
Deciding priorities depends partly on the unique infrastructure and products each company owns and operates. It’s a monumental task that takes up huge resources, argues Lindner.
The National Vulnerability Database, a federally-run repository of software vulnerabilities, tracks and releases over a hundred bugs daily that vary in severity. Some bugs can be safely ignored, but others should be immediately patched or the risk mitigated.
By the time developers can get around to fixing bugs, there are often new ones to join the already long backlog of vulnerabilities. The situation is so unmanageable that nearly half of all organizations have had a critical vulnerability remain in their software for longer than a year, a report by the software security firm Veracode found.
“Prioritization has been forever the vein of AppSec’s existence, because we just don’t ever have enough information where it matters,” Lindner said, using industry jargon for application security.
Lindner began his technology career as a developer before quickly finding an interest in security. He started in the security field at a medium-sized insurance company that was just beginning to explore application cybersecurity.
Lindner had just joined the security team when he discovered the world of penetration testing, or when professional hackers are paid by companies to try to find bugs and vulnerabilities in their products.
“We hired a third party to come in and run a [penetration] test and my eyes just kind of lit up,” Lindner said. “I was like holy s***, this is awesome. This is so cool and I decided to go get my master’s.”
He spent the better part of 15 years in application security after finishing his master’s in 2006. Lindner next went to IBM before consulting in the same space for around eight years. In 2008 he went to a security firm, of which a portion would spin out to eventually become Contrast Security.
Now, he believes the ecosystem is ready for major change—whether people are ready for it or not. Software developers and cybersecurity practitioners are essentially in a boat filled with holes, armed with a bucket that is also filled with holes. “A lot has changed, but nothing has changed,” Lindner said.
Fixing vulnerabilities is often a frustrating topic for Lindner, largely because he’s been seeing the same thing for years. For example, the Open Worldwide Application Security Project (OWASP), a nonprofit organization that focuses on software security, releases the top 10 web application security risks every year. And every year, the top 10 risks are largely the same, Lindner said.
Lindner’s push for more AI is partly driven by CISO’s he has heard from who oppose using AI tools, citing security and privacy issues. However, he says the industry has been using AI in one form or another for years before generative software became popular. For example, email spam filters is an early use of machine learning that quickly became a norm to deal with the deluge of unwanted emails.
“I want to see people embrace it and take advantage of newer things,” Lindner said. “AI is not scary. It’s powerful and it’s going to help us.”