“People Don’t Take Security Seriously and It Scares the Life Out of Me!” An Interview with DevSecOps Pro Stuart Slade
Stuart Slade is a security expert who recently joined Contino! Stuart has been in the IT industry since the early 1980s. He started out in software development, but in the last eight years or so has become more heavily focused on AWS and security. He's got decades of experience to share so we sat down with him to talk about the biggest problems with security today.
Why don’t you tell us a bit about your background?
My Dad was an electrician and started teaching me about household wiring from the age of about three - so it’s no surprise that I ended up as a techie! The Sinclair ZX81 sparked my interest in computing, I put it together myself from the kit that they give you but then thought, “now what do I do?”. So I started reading about programming and taught myself assembly language programming, because the original BASIC programming language was painfully slow!
From that starting point I moved into software development very quickly (I was a full stack developer in the days before the term existed). I wrote my own tools, libraries, language interpreters...all kinds of things - right the way through the different stages of a dev career: software engineer, analyst programmer, through to lead developer and head of development.
About ten years ago I decided to make a change. My work overlapped a lot with system administration and infrastructure – I had been doing a lot of UNIX/Linux sysadmin work, for example – so I moved away from dev and into infrastructure and architecture. I started working for a company that created solutions for the automotive industry and designed and built all of their AWS infrastructure. They were already using AWS in 2009 - very ahead of their time!
My account manager back in the day was Iain Gavin, who was later a Director of AWS and, before joining Contino, I worked for a consultancy for two-and-a-half years doing a lot of government work on AWS, creating a ‘leading lights’ solution that was scalable and well-documented.
Over the last year, I spent a lot of time studying to get all five AWS certificates and doing a course on big data.
So my background covers all kinds of things!
What are the biggest enterprise problems, in your opinion?
I have always been heavily focused on security. People don’t take security seriously and it scares the life out of me!
Take the NHS. It was hit twice by the same thing. The first time is bad enough. The second time you would say is inexcusable. Or at least that’s what I thought, until I spoke to someone who works for the NHS. Apparently they have no choice! They can’t patch their system because they use third party software that breaks whenever they patch their machines. So they can patch their machines - but be unable to treat patients - or not patch their machines and get hacked.
Clearly, something has to change!
Another ridiculous example: I previously worked for a company that had 14 AWS accounts and dozens of users. Every single user had a password of ‘password’ and, when a new user was added, the login and password was sent round on a distribution list of dozens of people. Half the company could have had access to all of these AWS accounts. If someone were to log in and spin up any number of instances you wouldn’t know who it was!
Incidents like these are going to bite eventually!
And what’s the solution?
It’s definitely a mindset issue. Security needs to become a more central issue culturally within businesses. There’s much talk about DevOps, but very little about DevSecOps. How many organizations have a DevSecOps or a SecOps team? Very, very few have security embedded in their ways of working. The whole security aspect just isn’t properly considered and the whole mindset needs to change.
AWS constantly cite the fact that their number one focus is always security - over and above everything else - and that’s how we should all be thinking.
Is there any low-hanging fruit that organizations can take advantage of?
There is a set of documents that AWS publish called the ‘Well-Architected Framework’ and a load of related books. It is based on five pillars: security, reliability, performance efficiency, cost optimization and operational excellence. If people were to just sit down and read that framework, examine the five pillars and the associated documents I think they would learn a huge amount straight away.
People seems to think that they don’t need to consider security! But in even the simplest situations things can go wrong. You will find that companies often want to try proofs of concept, for example. The first thing they do is spin up an instance in a default VPC in a default public subnet with no security - they’ll put some code on it and show it to their boss and say “Look: proof of concept! Hurrah!”. But already they’re vulnerable! The default build for a VPC is a single public subnet with the default security group, which opens it up to the whole world. It’s up to the user to control those permissions and adjust them accordingly before doing anything, but people simply don't do this. They’ll build an instance there and won’t secure it, patch it, protect it, or put firewall controls on it. Someone relatively inexperienced might drop some keys on that server that could give full admin access to the whole account - and then a bad guy could access that instance via a vulnerability and spend any amount of money on any infrastructure.
[VIDEO] Stuart talking about how to securely transfer files from a bank at AWS Security Loft London, September 2017.
What do the next five years hold for cloud security?
I think that there will be an awful lot of enterprise migrations in the foreseeable future. This will bring a lot of pain for those used to old-school environments. They have a vested interest in not allowing too much change because it’s a lot of work! They’ll want to keep the cloud environments as similar as possible to on-premises builds - that way they don’t have to learn anything, get certified, or change how they work. But on-premises and cloud are not the same. If you use the latter as if it’s the former you get the worst of both worlds. With on-premises you have hard-coded IPs everywhere - these don’t work well at all in the cloud. Similarly, a lot of on-prem systems are not designed in a way that can handle lateral scaling. In this way, enterprise migrations are often more about the applications and the people than the infrastructure...people force the infrastructure to mould itself to the applications, when it needs to be the other way round for organizations to be able to reap the benefits of the cloud.
And the benefits can be enormous. Two former colleagues developed a proof of concept moving an existing system from on-prem to the cloud and made a cost-saving of two orders of magnitude (i.e. 1% of the previous cost). They then redesigned the application to run on AWS Lambda and got another two orders of magnitude of saving. So they were paying 0.01% of what they had been previously! Not only that but they had a resilient and highly scalable design into the bargain.
By investing in the right design to get these benefits, it’s possible to recoup your costs incredibly quickly. And the savings are ongoing after the initial investment: buy the golden goose and it forever lays golden eggs! So you have to bite the bullet and put the upfront investment in first, because there’s an effectively infinite ongoing benefit and the savings can be very significant.
How did you end up at Contino?
It was purely Rhys Davies, the Recruitment Director at Contino. He rang up and showed that he was interested in me, he knew my background and how I would fit into the organization. Not your usual recruitment agency approach!
What kind of stuff do you get up to more generally?
I love motorbikes and cue sports, except for eight-ball pool. It’s just not aggressive enough!