"Did you know that your 20th Black Hat is when you get to give the keynote at Black Hat?" Dino Dai Zovi, head of security for Cash App at Square, joked to the packed ballroom. While it may have been Dai Zovi's 20th conference, the topic of his keynote has never been more fitting for where we are in security and the ways in which it mirrors what we experience in our day-to-day life.
He gave us an overview of his history: in high school he realized that hacking and security was a lot more like magic than he previously thought, because it was about figuring out how things work, putting a lot of thought into writing and making something respond in the way you want it to. In college, he spent his nights, weekends, and spring breaks learning how to find and exploit vulnerabilities in code. And about that time (in 2007) he used his skills to simultaneously prove that Apple's OS X operating system could, indeed, be hacked and win a laptop for his friend in the Pwn2Own competition.
No big deal.
Dai Zovi took his work as a security researcher into more corporate organizations, where he learned about the importance of automation, understanding what is really being asked for in order to solve the right problem, and ensuring that there is collaboration between security and development to achieve more quality outcomes. Here are the four key lessons that Dai Zovi learned as he transitioned from offense to defense.
Work backwards from the job: Dai Zovi talked about how McDonald's was working to understand how they should evolve their milkshake. What they noticed was that people were ordering them in the morning, and they wanted to see why this was happening. In discussions with a customer, the customer indicated that they needed to have breakfast on their morning commute. They had tried a banana, but it wasn't filling enough; a bagel was too dry, and spreading cream cheese while driving was too challenging; in giving doughnuts a shot, they found they were eating too may; but the McDonald's milkshake - unlike other milkshakes - was thick enough to last the full 40 minute drive to work and left them feeling full. As it turns out, they customer was not ordering a milkshake to satisfy hunger, but to cure boredom. Really try to understand your customer, who they are and where they struggle, and what you need to do to provide the best product or solution for them.
Seek and apply leverage: For this story, Dai Zovi took us back to his time with @stake, where when he first started he was essentially fuzzing by hand. He wanted to show off his skills, but when he realized that his colleague was completing his work - and finding more vulnerabilities - faster than him (and subsequently honing his foosball game) by using an automated technique. So Dai Zovi followed his lead and found that he was able to find more and do it more effectively. By using feedback loops, software, and automation you can really scale your impact.
Culture is more powerful than strategy which is more powerful than tactics: In one of the organizations he worked in, Dai Zovi was in a conversation with a developer who had been working on a feature but noticed it was coming out…a bit "sketchy." So the developer and security team white boarded out the feature and worked together to ensure that it was secure by design (shift left, anyone?). As security leaders, it's important that we focus on the security culture of our organizations. If we can create security culture change in every team, we can scale a lot more powerfully than we can if security is only security's responsibility.
Start with yes: We need to engage the world starting with yes. It keeps the conversation going, it keeps the conversation collaborative, and it keeps the conversation constructive. It says, "I want to work to solve the other problems you have, and I want to make you safe.” That's how we create real change and have a real impact.
"Why don't all security teams start with yes," Dai Zovi asked the audience. "Fear. There are lots of reasons to be afraid. But fear misguides us because it's irrational. Fear causes paralysis and creates more insecurity because it often leads to doing nothing."
For me, this was the most powerful takeaway. Dai Zovi talked about how he overcame his fear of flying by learning how to skydive. He felt the fear center in his brain activate and assured it that he would be fine: he had the right equipment and knowledge and knew that he would land safely. The more he jumped, the more he proved to his brain that he was safe and the fear dissipated.
Here is a truth about the human brain: we fear being rejected (or not belonging) and change above all else. There was a time when being outcast from the community meant certain death, and because change cannot be predicted, it cannot be planned for. As evolved as we have become, our brains have not kept up and we are all walking around with outdated technology that thinks that it should respond to change in the same way that it does being chased by a lion.
Ultimately, if we want to strengthen communication we need to first understand that we're all human and assume good intent. Everyone wants to feel safe and they want to belong, and these two desires can stop progress in its tracks. Yet being agile and objective, communicative and collaborative, are essential in today's changing threat landscape. The reality is, we need more innovation and teamwork in development and security - not less. Change is both an inevitable part of life and keeping software safe - we must be agile in our thinking and in our actions.
Stay tuned for more from Black Hat …