Actionable Advice

I gave a talk at OSCON 20 about security. It’s not a typical security talk though. I’ve given and attended a lot of what I would call “typical” security presentations. It’s generally about some big security idea, there’s likely some amount of blaming everyone except the security industry itself. We should make sure we throw in some analogies, maybe comparing cars to buggies or bridge safety. Blockchain is pretty hip now so that can probably solve the problem, maybe with AI. In general these presentation aren’t overly exciting and tend to play to the audience. They are fun, but that’s not the point this time.

The best part about getting to give a security talk at OSCON is I’m not talking to a security audience, I get to talk to developers about security. Developers, the ones who do the actual work, sometimes in spite of their security teams causing friction and slowing things down. It’s very common for security guidance to lack actionable advice. You need to use a strong password! OK, sure, but why and what does that mean? How do I write secure code? How can I fix these security problems you just told me my project has? I tried to fill my talk with actionable advice for the developers. Also bad jokes.

Actionable advice is hard. It’s very easy to point out what’s wrong with something, it’s probably ten times harder to actually fix it. Brian Kernighan has a quote that I like to use to explain this “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.” The same basic thing holds true for fixing any problem, security problems included. Fixing problems can be very difficult, helping someone else understand then fix a problem is REALLY difficult.

A great example can be found with cross site scripting (XSS) security flaws. These are bugs that basically let an attacker take over the content on your website (I know this is a gross oversimplification). In many instances the developer will get a report about a XSS bug found in the website, so they fix the bug. There is literally an infinite number of these bugs on every website. Developers are adding new XSS bugs faster than anyone is fixing old ones. What if I also told you there is a way to fix all of these problems. Forever!

Well, nothing is really forever, but this is one of the examples I use during this presentation. If we look at the OWASP Top 10 we can get a sense for the most common mistakes in web applications. In the 2017 list XSS was #7. I expect it will always be on the Top 10 list. I like OWASP a lot, they’re a great group and you should get involved if you’re not already. But I do have some issues with the Top 10 list from the viewpoint of non security developers. The list doesn’t contain actionable advice in the way I would like. It treats these issues as being unrelated and often offers a number of possible solutions to each of the top ten.

If you pick a modern web framework and use it properly, you can remove about half that list! That’s pretty wild if you think about it.

There’s a little more nuance than this of course. You also have to keep your framework updated, and you better make sure it has a healthy upstream. You will also make mistakes. Everyone makes mistakes. When mistakes are made fix them fast. We love to focus on blame but that’s not very useful. What is useful is having the ability to move fast.

I could of course go on in more detail, but the basic idea for the presentation is I break the OWASP Top 10 into something closer to the top 3. Everyone can remember three things, nobody can remember ten.

One of my goals is to discuss security with everyone. While security conferences are a lot of fun, the topics are often self serving and not reaching beyond the typical security people. It’s very common to hear “security should be everyone’s job”. This statement is sort of silly if you think about it. Is electricity everyone’s job? No, it’s just something that exists and we don’t really think about unless it’s broken. Security should be like electricity or plumbing. It exists, it’s pretty easy to use correctly, and as long it’s doing what it was designed to do, nobody worries about it.