Application Security , Business Continuity Management / Disaster Recovery , DEF CON

Key Takeaways for CISOs From CrowdStrike's Infamous Bug

David Brumley of Mayhem Security Discusses Better Code Analysis and Staged Rollouts
David Brumley, CEO, Mayhem Security

The recent CrowdStrike outage has forced CISOs to rethink their approach to software updates and security practices. According to David Brumley, CEO of Mayhem Security, the root problem with the CrowdStrike update was insufficient code analysis. The incident exposed significant gaps in how updates are managed and how code is analyzed before deployment. Similar outages can happen unless organizations invest in security practices at the developer level.

See Also: Breaking Down Silos With a Holistic View of Security, Risk

Brumley shared three key lessons from the outage: the importance of staged rollouts over extended periods, the need for thorough testing and the value of deep code analysis to uncover hidden vulnerabilities.

"The mantra is: It's 100 times easier and cheaper to fix things during deployment. It goes beyond the economics of that," Brumley said. "At the end of the day, these are code vulnerabilities. You need to have people who are writing the code to fix them, and so to make sure that they're a stakeholder in finding them as well, in tool choice and deploying them, is important."

In this video interview with Information Security Media Group at DEF CON 2024, Brumley also discussed:

  • The importance of dynamic application security testing in identifying reliability and security issues;
  • Why it is important to fix bugs during development, rather than after deployment;
  • Why simply having a software bill of materials is insufficient when it comes to quality security programs.

As the CEO of Mayhem Security, formally known as ForAllSecure, Brumley leads teams in building autonomous tools that check software for exploitable bugs. He has more than 20 years of experience, including as a professor at Carnegie Mellon University.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.