Sentry Scouts Meetups are organized by software developers for software developers, about the future of building and using software. Sign up for the next Sentry Scouts Meetup or enjoy a video of a past Meetup.
Or do both. Or do neither. Or simply become paralyzed by choice and take a nap.
Security, the focus of our fourth Sentry Scouts Meetup, is like a Snuggie, in that they both begin with “S” (one of the top 26 letters of all time) and provide a sense of comfort. Also similar to a Snuggie, poorly done security can leave you in a tangled, frustrating mess. We’ve all been there, right? As the issues become more complex and public, companies are learning from their mistakes and placing more emphasis on security.
In case you haven’t heard, Sentry Scouts are an opportunity for like-minded friends and professionals to swap stories around a faux campfire (a fauxre, if you will). Don’t worry — we also provide plenty of camp-related non-pizza snacks and drinks to go around. We gathered a fine group of security experts:
At its very core, security is about separation: keeping the people you want and denying those you don’t want to access your website, data, and so on. As Nate Lindstrom (formerly of Yahoo! and Salesforce, currently at AWS) explained, “it’s a balance of how tightly you lock things down for bad guys versus people who actually want to use the product.”
Instead of focusing all security efforts on not being attacked, GitHub’s Jamesha Fisher suggests mitigating risk and creating a usable product that people feel secure using. One step toward creating that secure, usable product is understanding user behavior. Specifically, as Sarah Harvey of Square points out, gaining the ability to predict what users are going to do with the product. In parallel to user behavior is understanding internal security assets, including software, machines, and data. Companies should pay close attention to where these assets are stored and who has access.
Professional Paths to Security
Just as companies take many paths to their security strategy, our panel of experts has also traveled unique routes. Aisling Dempsey of NCC Group wasn’t in tech before joining a coding bootcamp. From there, Dempsey found a consulting firm that was willing to take a chance on someone who would learn on the job. Calvin Liu (Ventura Enterprise Risk Management) transitioned into a security role when a social media company co-founder asked him to join the team, giving Calvin an excuse to put his 80’s MMO RPG hacks and bug-finding to use.
Even the day-to-day work of security professional varies. While some read Request for Proposal documents all day and answer questions to clients, others focus on improving documentation and building out services. However, most of our panelists solve security issues that other engineers don’t have to worry about. Harvey, for example, focuses on a “combination of writing software and coordinating with leads to understand what customers’ (other engineers internally) requirements are.” Regardless of role specifics, security professionals are “constantly learning [and] trying to understand what’s happening in the world,” as Liu explains.
[There’s a] misunderstanding that if it’s open[-source], then it’s inherently insecure. That’s not true. It can be, but it isn’t necessarily.
Open-Source & Security
As the security space has evolved, a debate about the tradeoffs of closed versus open-source code for security purposes has arisen. Dempsey describes the “misunderstanding that if it’s open[-source], then it’s inherently insecure. That’s not true. It can be, but it isn’t necessarily.” She goes on to detail the core of the issue: when a vulnerability is found in closed-source code, companies often can’t patch the issue because they can’t find it. With open-source, an entire community can seek out the issue and fix it quickly.
Harvey brings up the specific example of open SSL and the fact that people go on using it even though the code itself has flaws. “What’s important is keeping the key material private, but not the security algorithms or the cryptographic algorithms or the encryption signing. These systems are built by people who know what they’re doing and understand the nuances of the platform.” Again, there is an emphasis on the value of the open-source community collaborating.
Alternatively, Liu points out that while open-source makes sense in some cases, “there are now so many lines of code that you can’t expect them all to be looked at. Open-source inherently opens space for attackers.” He goes on to reiterate that the real issue here is not whether open-source is good or bad for security, but who is going after what.
Change happens at a glacial pace on the internet. Nothing is getting fixed any time soon.
What does the future of security look like?
Lindstrom bluntly states, “change happens at a glacial pace on the internet. Nothing is getting fixed any time soon.” Although change on the internet may move slowly, Harvey emphasizes that technology is advancing at break-neck speeds, leaving misunderstanding as to what our computer is actually doing in its wake.
Dempsey reminds us that critical structures are still needed for everyday life (for hospitals, banks, schools, etc.), and it would be a disaster if those stopped working. “People are inherently bad at a lot of things and are very easily fooled. Education on how to get better should be worked on.” Education also needs a focus on privacy, “especially as more of our lives are digitally integrated,” as Fisher notes. There aren’t many current regulations on how data is being used, despite the need for user and data protection.
Thank you to everyone who joined us for Sentry Scouts: Security. We hope to see you next time. In the meantime, you’ll want to check out our fantastic blog, educational (yet fun) tutorials, and other helpful resources.
See you there! Or here, on the internet!