Yes, coding skills are highly valuable in the field of cybersecurity. Being able to write and understand code allows cybersecurity professionals to analyze, identify, and mitigate security vulnerabilities in software and systems. By writing scripts, developing tools, and understanding how different types of code can be exploited by attackers, individuals can enhance their ability to protect against cyber threats.
Back in 2011, Marc Andreessen wrote an article titled, Why Software is Eating the World. His theory was that software could replace a lot of traditional businesses (and as things turned out he was right).
Coding in software is valuable because it only solves one problem. It enables you to do a repeatable procedure by machine, rather than having a human do it manually.
Now, if you only need to do a procedure once, then you’re probably better off with a document, chart, or spreadsheet. But if you need to do it a hundred or a thousand (or 10 million) times, then it’s worth it to invest the time to develop software to do that procedure.
So, if something can be broken down into a repeatable procedure, it’s a candidate to be reduced to code. And that’s precisely what’s happened in the cloud.
The Cloud Becomes Code
When applications were on-premises and required actual physical hardware, deploying them wasn’t a repeatable procedure. You purchased the server, configured the application on it, connected it to the network and that was pretty much it. Nothing repeatable about it. It made no sense to create a software program to deploy a software program on-premises.
But when applications started being deployed in the cloud, things changed. The dynamic nature of the cloud means that resources must respond almost instantaneously to changes in demand for those resources.
The architecture required to run a cloud-based application had become a three-step repeatable procedure: 1) assess the current resources, 2) assess the current need for resources and 3) modify resources accordingly. And this procedure is not just repeatable, but continuously repeatable, in real-time.
The result? Infrastructure-as-Code (IaC). IaC is the managing and provisioning of infrastructure through code instead of through manual processes. Automating infrastructure provisioning with IaC means that developers don’t need to manually provision anything.
The cloud has become code. But the cloud is also a dangerous place. According to research, “In 2020, 79% of companies had reportedly experienced at least one cloud data breach. A later study by the same group came up with an even more significant figure. In the last two years, data from IDC and Ermetic showed that the figure had risen to 98%, up by almost 20% in just two years!”
This raises an interesting question. If the cloud can be reduced to code, can securing the cloud also be reduced to code?
Cybersecurity Becomes Code
Cloud-native applications create security issues. One very effective way to protect cloud-native applications is though threat modeling. But threat modeling a cloud environment that is constantly changing would require a fast, repeatable procedure. It sure would be nice if threat modeling in the cloud could be reduced to code. Can it be?
The Enterprise Strategy Group thinks so, as they lay out in their new whitepaper Toward Threat Modeling as Code. As effective as threat modeling can be, there are still some gaps in its adoption. The whitepaper details how threat modeling as code (TMaC) can help bridge that threat modeling gap.
You can download your free copy of the whitepaper here.
