[opt-skept]

As part of the industry, I can tell you I've personally found dozens (hundreds?) of vulnerabilities per year for the more than decade running of my career. The same is true of my collegues.

I have met "cybersecurity teams" who are "tool monkeys" in the way you suggest. Usually these individuals are part of an extended compliance team. They are trying to check compliance boxes by having some level of automated scanning, because their parent organization/team can't/won't staff professionals capable of this or capable of scaling it or focusing attention on where it matters.

I don't want to oust you for where you work or your role within those companies - but really surprised to hear that there's no inhouse pentesting and no in house red teaming. I haven't worked at a company yet (on my fourth) that matches the experience you described.

[slt2021]

a lot of your suggested vulnerabilities could be prevented from appearing if company just hired a person who can configure SAST and WAF and etc solutions (solving a class of security problems from showing up on a platform level, not on per each vulnerability instance level).

Why rely on an in-house redteamer who may find one or two vulns per year, or may not.

[opt-skept]

Eh... maybe.

I think "configuring SAST" goes back to what you had previously said about "tool monkeys". Now there's thousands of potential issues. Many are false positives. Who is going to tune that SAST for accuracy rate? What about vulnerabilities that are framework specific? Will the SAST even allow for this? Who is responsible for triaging all of these alerts? Are they capable of correctly addressing them?

If you just set up SAST and walk away, you end up with more noise than you do signal. And you created the need for security professionals to process the results.

I think the article had better suggestions for scalable security, for example #3 Build standardized patterns and #7 Provide isolation patterns. Better to systematically prevent SQLi with a platform/library than try to detect all variations of SQLi with SAST!

WAF? It's something I would put in front of a product I have confidence in as a defense-in-depth. But would I rely on it as the sole security investment? Absolutely not. The reason is not all vulnerabilities are web-based, and many do not have differentially detectable payloads (missing authz on an API isn't going to get caught by WAF).

Why Red Team? Because the leading way businesses get compromises is with phishing attacks.

A security team needs to ensure application security, network security AND operation security. A SAST or WAF aren't going to do that. Neither with Qualys, etc.

[slt2021]

>>Now there's thousands of potential issues. Many are false positives.

Inspecting output/logs of Qualys is no different than inspecting logs of kubernetes (or other SRE platform). and both overlap.

If you have highly skilled SREs - task them with security. If you dont have good SREs, you have to keep IT architects (and call them infosec) who will be able to look at all your IT Zoo across all your on-prem datacenters and cloud accounts and can make a call to do X,Y, and Z to keep company secure.

and who can recover your infra from groun zero in case you got ransomwared

[opt-skept]

I disagree. I think inspecting the output from Qualys (and other tools, including SAST) are substantially and manifestly different from inspecting Kubernetes logs.

I would worry the argument about "highly skilled SREs" could become a "true Scotsman" argument. If a business has any persons who are skilled enough and plentiful enough to process all of the security output and take action on them, let it be so.

My experience is that in practice, there are not the resources to process all of the output that the tools generate. Do you have experience to the contrary where this has been done at a company scale or is your argument a theoretical one that you believe stands to reason?

[fragmede]

If you task your fully staffed SRE division to have some people doing cybersecurity full-time, what's the difference between having that and an actual cyber security team? And if you have that, why wouldn't you want to hire experts in that field instead of cross-training or finding generalists?

[slt2021]

hiring security experts is expensive and very few companies are able to afford and retain them.

ask yourself what is cheaper: hire and retain Cloud Operation admins in SRE org, hire and retain Cloud security experts in cybersecurity org -- vs hiring a cloud security guru and task him overseeing with maintaining and security $platform_name ?

very few companies are able to hire and retain SRE-Kubernetes operators and Kubernetes security architects, so it kinda makes sense to merge and hire one good expert

[fragmede]

Now you're just haggling over price. Ask yourself, what's more expensive, a good security team, or getting hacked? For LastPass, it's existential.

It just depends on the size of the respective orgs. If engineering is 5 people, a dedicated security person doesn't make sense. At 500 you might be able to get away with one. At 5,000 engineers though, you real do need more than one good security expert.