DAY 2, 22 MAY
11:00 - 11:45
Security
ABOUT THE SPEAKER
I run with a team of hackers who use the former to prove that the latter does not exist.
Any other info about you: Vlad Styran is a cofounder and VP for Berezha Security, a Ukraine-based cybersecurity consultancy. He is a cofounder for the largest Ukrainian cybersecurity conference NoNameCon and a co-leader of OWASP Kyiv chapter. Vlad has more than 15 years of experience in different aspects of cybersecurity and is certified as OSCP, CISSP, and CISA.
Talk: Human is an amateur; the monkey is an expert. How to stop trying to secure your software.
There is a bunch of fundamental security engineering principles that span across various disciplines and allow us to build reliable systems. Yet we often fail to do it. Do we simply ignore those principles? From the standpoint of a long-term penetration tester, I strongly doubt that.
There is also plenty of so-called “security methodologies” that claim to provide us frameworks for building secure software. Yet we rarely use those methodologies properly, ur just omit them for the sake of business priorities. Would they save our lower backs if applied prior to the cyberattack? As a retired social engineer, I doubt that too.
We have principles and we have textbooks that explain them, yet we fail to use them properly. For a long time, I wondered why? Are we arrogant? Are we stupid? Are we just bored? I couldn’t believe any of those explanations are complete. So I stepped on the road of learning more about human behavior and look at what I found.
The thing is: common sense and textbooks are bad security strategy. You don’t want an intern with a “methodology” to secure your critical infrastructure. You want to have an expert on that assignment. Someone, who failed enough times to have an intuitive understanding of how to navigate the minefield. Someone, who feels it in their guts.
For the last 20+ thousand years, habits not analytics were responsible for human security in all aspects of life. For the last 100 years, the life around us is getting complicated much, much faster than we are getting used to it. From security professionals, you could hear a lot how “common sense” and “critical thinking” could help you avoid emerging threats, such as cyber. I myself was an adept of such thinking for a long time until I took my time to figure out how our biological software actually works. And it turns out, that higher brain activity is a bad framework for security implementation.
So how do we build secure software for our systems? We have to start with rewriting the software for our brains. We have to build security habits in individuals. We have to build security cultures around those habits to let them spread within the teams, organizations, and populations. Spread with the speed of internet memes or even faster. We have to put security where it belongs: to our mammal brain or even deeper because that part of our hardware has been wired for that type of job over millennia.
We have to learn how to trust our habits, our instincts, our expert intuition. We have to stop giving a human the monkey job.