It’s one of the most memorable scenes from 1990’s movie, A League of Their Own. An incredulous Jimmy Dugan (played by Tom Hanks) has just given an earful to his right-fielder Evelyn (played by Bitty Schram) for an ill-advised throw to home plate that allowed runners to get in scoring position. Those runners would eventually score to tie the game. As Jimmy returns to the dugout, a distraught Evelyn then begins to cry softly, and Jimmy turns around to ask “Are you crying? (No) … Are you crying?… Are you crying?! There’s no crying! There’s no crying in baseball!” Jimmy then provides a detailed story from his own experience to drive it home and the point is clear: no matter how bad it is or how big the mistake, never let them see you cry.
At first glance, you might not think there are parallels between application security and that scene. You might even say “there’s no application security in baseball!” But permit me to take a moment to discuss why application security is so important to sports, athletes and success today.
Ever heard of analytics?
For decades, athletes and teams have been trying to get a competitive advantage, or “edge” that will translate into success on the playing field. Over the years, the use of film, nutrition, specialized trainers and more have become commonplace. Competition rules have even been modified because of the use (or misuse) of technology. And the big current trending term today is “analytics,” with the general understanding being around collecting data and searching through it to find the hidden keys and trends that make a difference. And nowhere is this more prevalent than in Major League Baseball.
In the MLB, there seems to be a stat for everything. Hitters have hot and cold zones. Pitchers are measured on how much movement a pitch has as it approaches a batter. Relief pitchers are brought into games in key moments to face a single batter because they match up favorably. And there are even times when a team will “put the shift on” and put extra fielders on one side of the field because of a hitter’s tendencies.
We had a great discussion recently with Steve Mason on the Application Paranoia podcast on this topic. We asked Steve what particular stat he thinks makes the great difference for team success and he shared that the stat he pays the most attention to is the FIP.
FIP stands for Fielding Independent Pitching and according to the MLB glossary, it “focuses solely on the events a pitcher has the most control over — strikeouts, unintentional walks, hit-by-pitches and home runs. It entirely removes results on balls hit into the field of play.” Steve pointed out that this is a much truer measure of a pitcher’s success than the more traditional stat used: Earned Run Average, or ERA. The reason is that a pitcher may throw the perfect pitch in the perfect spot, but the batter may make contact and a fielder can make an error. Or the bat breaks and instead of the ball being hit to an outfielder, it becomes a bloop hit.
Generally speaking, pitchers that have a lower FIP tend to have more success and win more often. Good to know if you are drafting a team for your fantasy league.
How it relates to application security:
Consider the immense amount of data that is collected. Applications are used every day to collect, process, transmit and communicate that data. And so much of it is made publicly available. It is imperative that the information be both accurate and secure. Why? Hundreds of millions of dollars are being spent on player contracts, and billions more are spent on gambling, fantasy leagues and more. Data is used to compare teams and athletes and provide the insight for making decisions like who to sign, lineup order, pitching rotations, who to play and more. This is why there are pre-game injury updates, why cameras follow players walking from a bus to a locker room and why people scrutinize every player movement during warmups.
Now imagine what would happen without application security and some of that information was coming from a Fitbit or an Apple Watch?
Do you think owners and managers would change things if they knew a star player had a rough night and only got 2 hours of sleep? Or that they were dehydrated at game time? How would sports betting agencies feel if they were forced to make adjustments to odds at the last minute? What if a player sponsors a new fitness product and, as part of the contract, has to use and promote their app? Say the app is not secure and suddenly their training information is visible to the world? Or worse, they get injured and they have to use that app to track their recovery?
We need application security operating well here because athletes deserve the same privacy as the rest of us. After all, there is a reason HIPAA exists.
Better Application Security For Better Analytics
Good application security ensures that data collected stays protected. It means data transmitted is not data taken. In short, it means that data is used but not abused. And when it comes to analytics, it means that the difference makers are those that can spot the trends and tendencies that others miss – when looking at the same data set. It is skill related; providing confidence for a level playing field.
Now consider the security teams behind those applications and relate it back to our initial movie scene. The truth is that far too many appsec pros can relate to Evelyn. They do their best to make the right play, but sometimes the cutoff-man is missed (false negative) because there is too much crowd noise (false positive) causing a distraction. Or instead of “there’s no crying” they are hearing things like: “It’s not that bad!”, “That’ll NEVER be exploited!”, or “We fixed that already!” when they point out a vulnerability or when an application is tested in a new environment.
I have even heard stories of a few “We didn’t have these kinds of issues before you arrived!”. And just like in the movie, when someone comes to Evelyn’s defense and is shot down, all too often CISOs are calling out risk in the board room but seeing their budgets getting cut tighter. This tension with high stress is one of the greatest reasons that the average job tenure for a CISO these days is a short 2-4 years. When you are constantly fighting an uphill battle, you get tired
And the sad truth is that it often it takes an outside circumstance to effect the change needed. The end of our movie scene comes when the umpire walks over to get the game resumed and then chastises Jimmy for the treatment of his players. Jimmy makes an inappropriate comment and gets ejected, which immediately changes the dynamic in the dugout. Later in the movie, we see Jimmy again talking to Evelyn about throws from the outfield, but with a very different tone, and much greater success.
As sports teams in all leagues continue to search data for trends, tendencies and tactics, and as more and more data is collected, application security will only grow in importance. Teams need reliable places to store and use information. Having strong, secure applications as the heart of a security strategy goes a long way in ensuring that data is used properly instead of perused, misused and abused.
Application security matters and to learn how to maximize the impact of continuous, metrics-based improvements on your Application Security Testing program, watch this Continuous Security webinar with my HCL colleagues Colin Bell and Kris Duer. Or catch us on our Application Paranoia podcast, available on Apple Podcasts, Spotify, Google Podcasts and Buzzsprout.