Speaking in the opening keynote at Black Hat USA, Dino Dai Zovi, researcher and head of security for the cash app at Square, talked about security teams acknowledging developers and vice versa.
After the previously announced keynote speaker Will Hurd was withdrawn among criticism among the security community over his voting record, Zovi took the opportunity to focus on the “shift left” concept and how he had worked his way through events like Pwn2Own and security jobs where he had seen differing security cultures.
He said that starting his job at Square in 2014, he was able to overcome some of the collaboration problems he had seen in other jobs, and especially where there was a culture of collaboration and empathy, “as security engineers wrote code like everyone else.”
“A software team member said 'hello, security friends' and asked a question, and someone voluntarily talked to security. It took me a while to figure out what the ingredients were, and that was the transformative change for me.”
He said that when he saw this firsthand, he was critical and went to demonstrating his capabilities because “we are not insiders anymore” and we need to opportunities to demonstrate what we have learned.
To be better at security, he recommended looking at three transformative lessons:
- Work backwards from the job
- Seek and apply leverage
- Culture>strategy>tactics
The first lesson is “what customers hire us for,” as agility “is important as threats change, and it is important to keep up.”
The second lesson should be about the fact that “we are still a small community and problems we tackle are huge,” Zovi said. If we have better feedback loops, he said, we can measure attacking and succeeding and consequently develop better software.
The third lesson is that culture is hard, and “ops and devs jobs are hard and to allow change, we need to allow change to happen.” He also said that it is about cultivating a culture of empathy. Instead of saying no, “say yes and how we can help” and move away from a culture of blame.
“If we do this better, it will shape our strategy and shape our tactics and have an impact on results. And that is why we should focus on generating generative cultures,” he said. “Security teams are afraid and there are good reasons to be afraid, as there is a lot of bad activity going on out there, a lot of breaches, a lot of scary things and new stuff every day. But fear misguides us, as it is irrational, and if we are afraid of tail risks we could have a deprioritization of our resources. We may focus completely on targeted zero-day attacks and completely ignore credential stuffing attacks, which are far more common and way more likely to affect most people.”
He concluded by encouraging the world “to start with yes” as it keeps the conversation going and is collaborative and constructive. “That is how we have real change and have real impact.”