Application Security , Business Continuity Management / Disaster Recovery , DEF CON
Key Takeaways for CISOs From CrowdStrike's Infamous Bug
David Brumley of Mayhem Security Discusses Better Code Analysis and Staged RolloutsThe recent CrowdStrike outage has forced CISOs to rethink their approach to software updates and security practices. According to David Brumley, CEO of Mayhem Security, the root problem with the CrowdStrike update was insufficient code analysis. The incident exposed significant gaps in how updates are managed and how code is analyzed before deployment. Similar outages can happen unless organizations invest in security practices at the developer level.
See Also: Breaking Down Silos With a Holistic View of Security, Risk
Brumley shared three key lessons from the outage: the importance of staged rollouts over extended periods, the need for thorough testing and the value of deep code analysis to uncover hidden vulnerabilities.
"The mantra is: It's 100 times easier and cheaper to fix things during deployment. It goes beyond the economics of that," Brumley said. "At the end of the day, these are code vulnerabilities. You need to have people who are writing the code to fix them, and so to make sure that they're a stakeholder in finding them as well, in tool choice and deploying them, is important."
In this video interview with Information Security Media Group at DEF CON 2024, Brumley also discussed:
- The importance of dynamic application security testing in identifying reliability and security issues;
- Why it is important to fix bugs during development, rather than after deployment;
- Why simply having a software bill of materials is insufficient when it comes to quality security programs.
As the CEO of Mayhem Security, formally known as ForAllSecure, Brumley leads teams in building autonomous tools that check software for exploitable bugs. He has more than 20 years of experience, including as a professor at Carnegie Mellon University.