Iâ€™ve been a little absent from this blog for a while, mostly because Iâ€™ve been settling in to a new job where Iâ€™ve briefly changed my focus almost completely from application security to being a software developer.
The blog absence is going to change now, and Iâ€™d like to start that with a renewed effort to write something every week. In addition to whatever grabs my attention from the security news feeds I still suck up, I want to get across some of knowledge and approaches Iâ€™ve used while working as an application security guy. Iâ€™ll likely be an application security guy in my next job, whenever that is, so itâ€™ll stand me in good stead to write what I think.
The phrase â€śOne Simple Thingâ€ť underscores what I try to return to repeatedly in my work â€“ that if you can get to the heart of what youâ€™re working on, everything else flows easily and smoothly.
This does not mean that thereâ€™s only one thing to think about with regards to security, but that when you start asking clarifying questions about the â€śone simple thingâ€ť that drives â€“ or stops â€“ a project in the moment, itâ€™s a great way to make tremendous progress.
Iâ€™ll start by discussing the One Simple Thing I pick up by default whenever Iâ€™m given a security challenge.
What are we protecting?
This is the first question I ask on joining a new security team â€“ often as early as the first interviews. Everyone has a different answer, and itâ€™s a great way to find out what approaches youâ€™re likely to encounter. The question also has several cling-on questions that it demands be asked and answered at the same time:
Why are we protecting it?
Who are we protecting it from?
Why do they want it?
Why shouldnâ€™t they get it?
What are our resources?
These come very quickly out of the One Simple Thing of â€śwhat are we protecting?â€ť.
Hereâ€™s some typical answers:
You can see from the selection of answers that not everyone has anything like the same approach, and that they donâ€™t all line up exactly under the typical buckets of Confidentiality, Integrity and Availability.
Do you think someone can solve your security issues or set up a security team without first finding out what it is youâ€™re protecting?
Do you think you can engage with a team on security issues without understanding what they think theyâ€™re supposed to be protecting?
Youâ€™ve seen from my [short] list above that there are many answers to be had between different organisations and companies.
Iâ€™d expect there to be different answers within an organisation, within a team, within a meeting room, and even depending on the time I ask the question.
â€śWhat are we protectingâ€ť on the day of the Equifax leak quickly becomes a conversation on personal data, and the damaging effect of a leak to â€ścustomersâ€ť. [I prefer to call them â€śdata subjectsâ€ť, because they arenâ€™t always your customers.]
On the day that Yahoo gets bought by Verizon for substantially less than initially offered, the answer becomes more about company value, and even perhaps executive stability.
Next time youâ€™re confused by a security problem, step back and ask yourself â€“ and others â€“ â€śWhat are we protecting?â€ť and see how much it clarifies your understanding.