Bad things can be done for good, and all good developers should learn to be bad people too.
“Security fails when it is special, when it is not integrated into your life. Make continuous noise and it should be constant. Figure out how to break things. Don’t preclude threats; anybody can commit crime, across all ages and abilities. Know where your organisation’s bodies are buried and bring it into everything you do today,” said Laura Bell, director and lead consultant at Safetstack.io.
According to Bell, “Good and bad are problematic words and we need to start separating actions from intentions. Embracing bad behaviour can be challenging but you can avoid common pitfalls and get some good out of it.”
She was speaking about how security should become a constant part of the thinking process for developers and engineers, and how they should try to break into their organisation’s solution sets as part of such thinking at Microsoft's TechEd 2014.
“Before I can tell you how you can do it, I should tell you how not to do it. Don’t go at it without having clear aims, and remember, not all attacks need to be sophisticated and elegant. Don’t romanticise; understand that real crime has real repercussions.
“Don’t make it into a puzzle. You only want to get from A to B in the shortest possible time. And there is always more than one way to do that. Be careful when reporting faults; no one likes to be blamed. Also, just trying to break into your organisation does not make you any less a moral person,” she said.
She then proceeded to take the developers in the audience through some guiding points that they could keep in mind when they try to be bad people.
“Be objective and keep your eyes on the prize. It is rarely about the technology, so don’t get distracted by the layers that an organisation has. Learn to see the things that you did not see before. Notice the unprotected network ports in the boardroom that anyone can clip something to and nobody would notice. See the things that you have been walking past everyday.
“And think like a villain. Remember, you are not paranoid, they are really out there to get you,” said Bell.
She stated that developers should create a safe place to create chaos in, where the bad stuff can be done. Practice has to be done on something that is just like the production environment, or done on the production environment in a scheduled manner.
“Don’t surprise your organisation. Create a space for destruction to happen. Monitor things and stop guilting people when they break things. Reward the breakers and those who point out vulnerabilities. But reward the fixers a little bit more. And when you do this, do it like you mean it, like hundreds of hours have not been spent developing those systems or there is no love behind it. Hackers won’t see all that, and neither should you when you set out to do this,” said Bell.
She encouraged developers to make time for play and break bad for life, not just at one instant.
Bell was presenting on the last and final day of the four-day Microsoft TechEd conference that took place in Auckland this week. More than 2000 IT tinkerers, developers, vendors and partners gathered at the annual event to discuss the latest in the company’s technologies and solutions.