10 Things I Learned About Security at Velocity

[This article was written by Fredric Paul]

For many people, data security is like a morality play: good guys trying to protect honest citizens from the marauding bad guys. It turns out, though, that the best way to provide that protection may be for the good guys to think more like the bad guys.

That was the central message of New Zealand security consultant Laura Bell’s keynote presentation at the Velocity Conference last week. Bell, founder of SafeStack (with the awesome Twitter handle of @lady_nerd), gave an engaging, thoughtful presentation that challenged engineers to think differently about security. I recommend you watch the entire 18-minute presentation in the video below, but if you don’t have time, here are 10 key points I took away from the session:

1. To protect yourself, you need to “think like a villain.” Not everyone plays by the same rules you do. Security plays by different rules than engineers.
2. Remember that attackers are not after your technology. They’re not after your applications. They’re after the precious data inside your applications. That’s what you need to protect.
3. The days are gone when companies could rely on one person or even a group of people to be the security champion. Today, “every last one of [us] is responsible for the security of your systems and applications.”
4. “We are all liars, cheats, and thieves,” Bell said. That’s OK, she added, mostly because we feel that no one is getting hurt. The key is to be able to distinguish actions from intentions—“we can understand actions without becoming psychopaths.”
5. Acting “bad” is difficult for many engineers, Bell said. “We love puzzles and building things” while breaking into applications is destructive. Engineers often shy away from that.
6. Ask yourself: How would you break into your own house? Then ask yourself, how would you break into your applications?
7. Most data breaches do not follow the Hollywood ideal of a carefully planned, elegant cyberattack. Most attacks are simple, not sophisticated—crude, quick-and-dirty attacks using lies to dupe people who control the most likely attack pathways.
8. It’s useful to create a safe place to do bad things, what Bell calls “destructive security play.” This should not be production!
9. In that space, play like you never read the rulebook. You have to forget all the rules you know, Bell said, “Because they’re not right.” You have to get over your fear and realize, “It’s OK to break it.” Be creative. Dealing with chaos is an important element of security.
10. You need to start today … the bad guys are already at work!

Watch Laura’s full Velocity presentation below:

Oh, and one final legal note: Bell said her lawyer requires her to warn everyone: “Please do not do actual crime. Do not encourage others to do actual crime.”

Seems like good advice…