I had the opportunity to attend Black Hat USA 2019 at Mandalay Bay in Las Vegas along with 19,000+ security professionals. I met several folks who had been attending Black Hat for more than 10 years.
There were 20 different learning and breakout tracks including cryptography, cyber insurance, exploit development, IoT, mobile, network defense, and reverse engineering.
I had the opportunity to hear Dino Dai Zovi, Head of Security, Cash App, Square during his keynote. This was Dino’s 20th Black Hat. He has gone from being a critic to being in the arena learning how to work inside a company. Security is now integral to every company. Software is the universal substrate of value today. We need to embrace software to meet security challenges. Dino has come to realize that software and automation is a massive force multiplier.
Dino suggests taking a four-step, agile approach to security. Work backward from the job applying the four values of the Agile manifesto: individuals and interactions, working software, customer collaboration, and responding to change over following a plan. Dino believes security needs to be agile to be effective.
Seek and apply leverage. Security professionals are still a small community attacking huge problems. To be successful, we need better feedback cycles for better software and automation. Shorter feedback loops — the tighter feedback loop wins. Build for observability and look for anomalies. Automate everything in order to scale.
Culture is way more powerful than strategy, which is more powerful than tactics. Culture is how you leverage people. Security is everyone’s job — risks are shared. Dino suggests security starts with “yes, and here’s how we can help” instead of “no.” Eliminate fear of risk and unknown change. Learn how to manage fear. Focus on the security culture of the organization. These are the lessons Dino has learned moving from defense to offense. Start with, “yes” because it keeps the conversation going; it promotes collaboration, and it’s constructive versus a blocker.
In the post-keynote press conference, Dino shared his thoughts on how automation help can help solve the skills shortage. It enables everyone to work on scaling impact better with tighter feedback loops. Faster feedback lets everyone understand if what they are doing is working.
Collaboration enables everyone to grow based on security challenges, learn how to apply knowledge to security challenges, and understand how to engineer as a team. Move beyond coding to engineering. Software engineering is what happens to programming when you add programmers and time.
Unix was written for developers first and was then given to others to iterate onto in order to get new use cases to learn from. Build for more people, listen for feedback, and iterate. Software grows like a tree attuned to the use of its users
What are the obstacles of starting with “yes?” You are able to move to the generative culture where risks are shared. Security is not just one team’s job. When software development teams take responsibility for security, they treat the security team as much more important. E.Q. affects culture. Recognize E.Q. is not everyone’s strong suit. Build for culture. Culture is created by the leaders. The personality of leadership has a big impact on culture.
I was also able to hear from Ruben Santamarta, Principal Security Consultant, IOActive about Reversing the Boeing 787’s Core Network, Oded Vanunu, Head of Products, Vulnerability Research, Check Point Software Technologies on Reverse Engineering WhatsApp Encryption for Chat Manipulation, and Bruce Schneier, Security Technologist and Fellow at Harvard Kennedy School sharing his thoughts on Information Security in the Public Interest.