I asked 40 security experts to share their best advice, it didn't disappoint.
A little under 2 years ago, I decided to create a security-focused podcast, The Security Repo, mostly so I had an excuse to reach out and talk to some of the most respected and interesting people in cybersecurity and ask them all the questions. It turned out to be quite the life hack; a few even reached out to me to come on the show! One common question I ask all our guests is "what is the best security advice they would give the listeners", and some of the answers were fantastic. In this post, we will review some of my favorite quotes and discuss what each means.
Prepare for war
"When you write a contract, you don't prepare for peace; you prepare for war, the worst possible outcome. Security is much the same, you need to build security to protect you during times of war.”
Gregory Zagraba from Git Protect
Gregory Zagraba from Git Protect shared that when he was a child, a lawyer (who was also his sister) gave him advice that would stay with him for life. The advice was that when you write a contract, you write it to protect you in the worst-case scenario, even if it is a time of peace, you write the contract for a time of war. This concept follows through perfectly into security, your security defenses should be built for war, but this goes a little deeper than perhaps your first reaction. What is the worst-case scenario? A malicious user trying to access data, a ransomware group trying to encrypt your network, a malicious employee that has super admin access to everything? Before you build out security, you need to ask yourself what is war (or wars) you need to prepare for, then, and only then, you can start planning around how to defend against it. Security is easy during times of peace, but it is during peaceful times that we ultimately can build systems to win the war (because war will come eventually).
Break your own applications
Buck Bundhound and Tom Forbes both focused on the importance of understanding your own weaknesses by breaking your applications yourself and getting into the hacker mindset.
"Every endpoint, every input, think about how you could screw it up if you were an attacker how could I break my application."
Tom Forbes - Staff Software Engineer
“Always pretend you are trying to breach yourself,”
Buck Bundhund
Getting into the hacker mindset changes how you build applications. Attackers are smart, but they are also creative. When they see an input field, when they see an API endpoint they see possibilities. One of the best methods to build solid defenses is to ask yourself, how would I break the security of my application? It's easy to hide behind the excuse that a malicious actor doesn’t have in-depth knowledge of how your application works. Believe me when I say that an experienced attacker will be able to discover the inner workings of your application as well as you, if you can break your application, then an attacker will be able to as well. This is why I love the advice from Tom and Buck so much, it is also important to point out that this is not a once-off exercise. This is something you should think about with every function and feature you build.
In the same vein of this advice Dan Barahona, took this a step further when he was discussing API security. Often, we expect hackers to follow a certain path, the use the UI, but our security plans can quickly fall apart when they start sniffing traffic and find what is happening on the backend and attacking our APIs.
"Your UI is not part of your security stack. Your APIs are there in plain sight whether you realize it or not. Just because you are securing it from the UI does not mean that it's protected at the API level."
Dan Barahona - Founder of APIsec University, Head of Growth at APIsec
Trust nothing and no one
These are wise words that came from both Vangelis Stykas and Isabelle Mauny in slightly different ways.
"Never trust anything; if you are a developer, never trust your inputs, and if you are a user, never trust a person is who they say they are, and do not click the link that says click here."
Vangelis Stykas - Chief Technology Officer at Atropos
"The key thing is that it doesn't matter if the API you are working on is consumed internally or publicly. Make it a practice to systematically validate everything that is coming your way."
Isabelle Mauny - Co-founder and CTO of 42Crunch
There is the concept of zero trust in cyber security which is really using 3 layers of security before you authenticate someone or something. These are something you know, something you have, and something you are. In the real world, this would likely mean that before giving access to data, the requester needs to authenticate with a credential (something you know), use a code for MFA (something you have), and be from a trusted network (something you are). These principles don’t perfectly apply to everything in software, but we can use them as a guide and never trust an input unless we can prove it is secure.
Security has to make business sense
This one is a little counterintuitive, and you could go so far as to say it is even a little in conflict with some other advice. But in security, we must remember we are part of the business and while we shouldn’t sacrifice security, it is important to be creative to align security with the goals of the business.
"Don't think about security without business context, security is a gradient, I never say no, I always say yes but.
Can I use a vulnerable version of WordPress, yes but...
understand the ramifications and understand any business value and try to find solutions."
Erik Cabetas - Founder Include Security (DefCon CTF Winner)
"Don't sweat the small stuff, security can be overwhelming, so we must focus on what is best and most practical for the company."
Nipun Gupta Former COO Bearer
In security, we often think about things in black and white, that something is secure or it is not and we should also go for secure, but it is much more nuanced. There is the old security trope, “It's only secure if it's unplugged,” but this, of course, is not practical. We must understand that in security, we have to align ourselves with the business goals which means being creative in how we achieve security and prioritizing our tasks with what will have the best impact.
Security should empower developers to make good decisions
"Security teams should think about themselves as a platform, they are offering a service to developers, and that service is to help them reach the right decision."
Simon Maple - Former Field CTO Snyk
Security in the modern era should be a task shared by everyone, especially developers. For many years security and development teams considered themselves to be separate, developers build and security secures. This creates horrible lines of communication as developers get considered reckless cowboys and security team paranoid engineers with sticks. This approach slows down development and creates animosity among everyone. We have seen new approaches get discussed, like DevSecOps and ShiftLeft, but practically how do you get everyone to care about security? I love Simons's description here because it really shows the job of the security team to empower developers to make good decisions, to help them understand consequences, and to fit tools in and around their workflows. This way, security really does become a company-wide task with the security team operating as the glue that ties together the common goal.
Security is responsible for risk, but ultimately it is various parts of the business that have to address security concerns themselves. Security is all of our responsibility.”
Jeevan Singh - Director of Security Engineering
Breath
Finally, there was some simple but really great advice from Reanna Schultz.
“Slow down and think it's very easy to get caught up in your day. Slow down and think before you take action."
Reanna Schultz - SOC Team Lead
Security can be overwhelming, and often you can feel like you need to act immediately. But the reality is consulting with colleagues, taking a moment, and working out a game plan when incidents happen will serve you well.
Final words
Be prepared, think like an insider, trust nothing, work around business goals, empower other teams, and breathe. This boils down to advice from nearly 50 different security professionals from around the world. Getting advice from everyone can be overwhelming and sometimes conflict with each other, but what I have loved about asking these questions, it enabled me to dive deeper into the mindset of some extremely distinguished security professionals, and share that with you of course.