Security Mentality

security/security-mentality.html
William Heinbockel
2012-10-23T11:51:00-05:00
2012-10-23T11:52:14-05:00

From the security perspective, we need developers and engineers to “think more securely”. However, this is easier said than done. We need to first address several important issues:

  1. What does “think security” mean and how does one use it?
  2. How can the concepts of “think security” be distilled and taught?

Explaining the Security Mentality

I am only starting to examine the first issue:

What is it about the mindset of a security professional that distinguishes them from developers and other professions?

Maybe a good place to start is looking at other methods of thought, such as critical thinking or the Socratic method. One well-known modern teacher of thought, Edward de Bono, breaks the thought space into three general types of thinkers:

Horizontal Thinkers:
Creative thinkers that focus more on abstract ideas and fantasy, including artists and designers
Vertical Thinkers
Critical thinkers that use deductive reasoning to solve problems, such as engineers and software developers
Lateral Thinkers

Sideways thinkers” who use more creative problem solving techniques and are capable of freeing their thoughts from common thought biases and assumptions

Lateral thinkers can be thought of as a combination of both horizontal and vertical thinkers

Planes of Thought

de Bono’s portrayal of lateral thinkers has many similarities to common traits of security professionals — they are capable of approaching problems in innovative ways to find new security weaknesses.

Lateral Thinking Puzzles

Examples of lateral thinking are best highlighted in lateral thinking, or scenario, puzzles. In these puzzles, you are presented with a situation and you must find a solution for under which circumstances the situation can be reasonably explained.

The trick to these puzzles is that there is no deducible solution to the problem. That is, the solution cannot be reached using only the information and assumptions based on the puzzle.

Here is a common example of a lateral thinking puzzle:

A man walks into a bar and asks for a drink.
The bartender pulls out a gun and points it at him.
The man says, “Thank you,” and walks out.

For the answer to this problem as well as other lateral thinking puzzles, visit Brain Food.

Schneier’s Law

No discussion of the security mentality can be complete without a mention of Schneier’s Law. While initially posed in relation to cryptography, it is equally applicable to the general problem addressed by the security mentality:

Any person can invent a security system so clever that he or she can’t imagine a way of breaking it.

—Schneier’s Law (as coined by Cory Doctorow)

The advice is that security should be done in teams and made available for peer review. This is because individuals are incapable of considering every possible security threat; they are further constrained by their assumptions and biases.

Edward de Bono at least partially addresses this problem in what he calls parallel thinking. Parallel thinking can be viewed as an extension to lateral thinking where the thinking process is performed as a group and focuses on exploring possibilities.

The next step is to start exploring some of these common biases that lead to vulnerabilities. My hope is that if we can understand why developers make security mistakes (besides pure negligence), we should be able to adapt our approaches to software assurance and education to minimize security risk.

Discussion

All information contained within this blog is my own opinion and is not intended to constitute advice or technical support. The content is not represented of, or affliated with my current or previous employers.