Mark Felegyhazi, Avatao: “fixing security bugs takes much more time than learning how to avoid them”


With ever-evolving cyberattacks, it’s getting more difficult to secure a whole organization. And when working from home became the new normal, the use of unsecured devices and networks created huge security gaps.

Cyberthreats are lurking around many corners of the cyber world and it’s virtually impossible to monitor each step of every employee. For this reason, traditional security measures, such as Virtual Private Networks (VPNs) or antivirus software, won’t do much good without training employees about cybersecurity.

That’s why Cybernews invited Mark Felegyhazi, the CEO of Avatao – a company that specializes in interactive training, to discuss cybersecurity training, threats, and other prevention methods.

ADVERTISEMENT

What was the vision behind Avatao? Can you tell us more about your story?

We founded Avatao while being teachers at the Technical University of Budapest in Hungary. We wanted to offer a place for students to try the concepts they learn at school during classes. The platform quickly became popular and our business partners reached out if they could use it to train their engineers.After an initial soul-searching, we realized that the biggest need is to make the software development process more secure, as developers are responsible for creating business-critical products and services. Hence, we started to focus on secure coding and application security learning. Our vision is to give every developer the knowledge that allows them to create trusted, reliable software. Ultimately, this will create a trusted digital world where people can be safe.

Can you introduce us to what you do? How do you manage to keep the training both educational and engaging?

Our platform gives developers hands-on examples of real-life security vulnerabilities and also shows the best practices to protect software against these issues. We run a cloud-based learning platform accessible on demand. The exercises are tailored to the technology, job role, and skill level of users to make them relevant to their job.Engagement is always an issue. Obviously, personalization and relevance is the biggest engagement factor. Many developers go through our security tutorials and then discover similar issues in their live code. So, this has a direct impact on their coding quality. Also, we have engaging features, such as gamification elements, hacking competitions (also called CTFs) that further engage users.

What kind of threats can only be mitigated with the help of quality cybersecurity training instead of traditional safety measures?

People are the first line of defense. Security tools are typically matching patterns and they can discover certain bugs, and suggest a local solution to those. But humans can extrapolate these issues and proper security awareness training allows developers to apply security best practices and eliminate whole classes of issues.Experience has shown that security tools are not efficient and can cause alert fatigue. At the end of the day, most significant security breaches were discovered by people. Typically, someone somewhere notices an anomaly and starts digging deeper into the data. Our application security training makes developers more attentive and sensitive to these weak or faulty coding practices.

It is evident that the recent global events uncovered cybersecurity challenges worldwide. What would you consider to be the main takeaways?

Cybersecurity is a never-ending cat-and-mouse game. Let’s admit that the miscreants are also innovating, they use the most advanced techniques (often for critical security breaches against top companies), yet at the end of the day, they are business people.

There is no perfectly secure software or system. What security can do is significantly raise the bar for miscreants to perform and monetize security breaches. Here, the key lesson is to focus on the fundamentals and elevate the security awareness of everyone involved in product development. A few major companies such as Google and Microsoft committed significant resources to this cause. Similarly to the car industry, we need mandatory best practices (like a seatbelt or ABS) that make the baseline operation of software development more secure. Then, we can focus on enhanced defense techniques to defend critical assets, such as national critical infrastructure, but that’s a whole other story.

ADVERTISEMENT

In your opinion, what types of attacks are we going to see more of in the near future?

The goal of any attack is to extract value, so here the key is to understand the motivation of attackers. I believe that the media deals a lot with high-profile attacks against top companies and critical infrastructure, but the majority of attacks are motivated by business. Miscreants need to make money, and cyberattacks are an easier way to make a profit than other illegal activities. Ransomware, data breaches, and financial fraud will always be there until it becomes unprofitable because default defenses are too difficult to overcome. We have seen this with spam that was popular in the first decade of this century, then researchers and the industry understood the modus operandi of spammers, and spam defense became so much better that crooks turned to other attack methods.

Why do you think certain companies often overlook employee cybersecurity training?

I think most companies are aware that training is beneficial. It all comes down to the costs. Many companies think that training is not immediately profitable and they fail to implement it, focusing more on short-term business goals. Yet, these companies eventually lose as trust erodes their product fairly quickly, and this means a disadvantage in sales as well. In addition, fixing security bugs takes much more time than learning how to avoid them. Also, engagement in training is tough. There has to be a clear narrative and will from management to set cybersecurity as one of the goals of the company. If that does not exist, cybersecurity training is doomed to fail. It is also difficult to express the actual value of training. In this regard, it is similar to insurance: it works when nothing happens, and it is hard to express the value of nothing happening. By now, there are good techniques to express the return-on-investment (ROI) of cybersecurity training that we often advocate to our customers.

In the age of remote work, what do you think are the worst cybersecurity habits that can put a whole organization at risk?

This is a very popular topic these days. I’m not an expert or practitioner in building remote infrastructure, but the common theme is that organizations that had remote culture weather these times much better than those that relied heavily on physical workplaces. The lack of communication and working in organizational silos is absolutely the most dangerous element of this. People in home offices who did not have a remote working culture before might not have the right processes to follow and have to make security decisions on their own. Shadow IT, the use of personal devices for handling work data, and in general, any bad operational decision can be risky for the organization. In the age of remote work, these decisions remain hidden more easily because there is no time or way to control everything.

Besides secure coding training, what other security practices do you think are must-haves for companies nowadays?

This is a long and complex topic, but I’m with those professionals who advocate putting the right security fundamentals in place. Know your product and infrastructure, know your people, know your data and customers. From this, one has to collect the security threats relevant to the organization (threat modeling), prioritize and communicate them, and set up a proper vulnerability management program that works with clear, understandable goals towards reducing risks. Secure coding training is a key piece of this puzzle delivering the knowledge and potential solutions to the discovered issues.

And finally, what’s next for Avatao?

Avatao built a hands-on platform for developers to find and understand the best practices to defend against security threats. In the future, we are going to embed Avatao further into the software ecosystem of customers, connecting this useful knowledge to various security triggers, like bugs from application security tools or pentest reports. We will extend the integrations of the platform to other software tools to make security knowledge accessible to developers during their software development journey.

ADVERTISEMENT