More observations from Black Hat.
The anthropology of security.
In his keynote speech at Black Hat yesterday, Dino Dai Zovi, staff security engineer at Square, argued that software security depends primarily on the culture of an organization. Dai Zovi described working as the first security hire of a trading firm. He said that most of his work at the company was focused on implementing the basics of security and making sure the IT systems were running smoothly.
When he moved to Square, he noticed how different the culture was, particularly because “security engineers had to write code like everyone else.” Dai Zovi said that because of this, there was much more collaboration between the security team and software engineers, with the software coders actually asking security engineers for advice rather than treating security as a nuisance. Being part of the software development gave the security team a much deeper understanding of why the software engineers did what they did, and Dai Zovi says it allowed him to start “showing and not telling.”
Dai Zovi then stated that “software is the universal substrate of value today, and is the key success differentiator for many companies, just by being good at software delivery.” He outlined three lessons that companies should follow in order to improve their software delivery process.
The first is to “work backwards from the job.” He cited Unix as an example, saying it was “the most successful software project in history.” Dai Zovi said that Unix grew incrementally based on the job it was meant to fulfill. He added that Unix had an “implementation before specification.” Security teams and software developers need to understand the job their software is supposed to accomplish and work backwards from there.
The second lesson is to seek and apply leverage. Dai Zovi said that automation in software is a force multiplier, and it can allow defenders to stay ahead of a much broader range of threats.
The third lesson is that culture is more powerful than strategy, and strategy is more powerful than tactics. Dai Zovi argued that security teams need to start saying “yes” to proposed changes in order to adapt to rapidly changing technology. He said that empathy is a central component of this process, which called back to his earlier point about security engineers being involved in and assisting with the software development process. Security engineers need to overcome their fear of change and the unknown if they want to keep up with this process.
We'll have more from Las Vegas in tomorrow's issue.