"I don't mean to brag, but I have enough money in my pocket right now to buy that mini-fridge" -- Jake Johannsen
I was watching a movie recently that had a corporate awards ceremony in it where everyone was shuffled into a room and watched a senior executive hand out blue ribbons to a few people who had shown up. Embarrassed junior managers accepted the trophies and paused nervously for the obligatory hand-shake photo.
The main character was opining to his wife about how it seemed so unfair that his work was going unnoticed and how he felt slighted for not getting the recognition. She did a great job of counseling him that "it was just a piece of plastic" and that no one was going to remember the person giving it. In a feel good moment, the man's daughter gave him a hand colored "award" for "Best Dad."
I started thinking about the whole deal around corporate award ceremonies. They typically are not competitive events, though they certainly feel like it. The tacit message of course is "be like this person". On the flip side, it is also unfortunately a trend I see with millennials who come from "the winningest generation" and expect blue ribbons "just for showing up."
The wife was right though: those vapid trophy chunks of lucite would eventually find their way to a landfill and the person handing them out would likely be long forgot before then.
I realized their actual intrinsic value wasn't in the ceremony, or the cube squatting token that would eventually have to be thrown into a box when the employee quit or was "exited".
Their value lay in the dubious claims the recipients could make on their resumes, as in "Winner of the 2015 XYZ award" -- you see this in car commercials all the time, where they claim "Best in Class" -- which is totally meaningless when you think about it.
Nearly impossible to fact check, and other than the physical trophy that no one is going to carry into their next job, I realized that we might as well start making up our own trophies to celebrate our achievements!
We can go online right now (just google "lucite awards") -- and create a trophy to celebrate our Awesomeness* Order it, pay for it, and receive it. Done & Done.
Then on our resumes we can literally put down "Recipient of the Q4 Awesome Award" -- and we would not be lying in the least.
We'll even have the trophy to prove it
So go ahead and give yourself or someone you respect the recognition they deserve.
* "Awesomeness" is actually a skill that I added to the LinkedIN profiles while they were still in public beta -- you can endorse someone for "Awesomeness" -- which I frequently do if I think you have it.
In a discussion, opposing views are presented and defended and the team searches for the best view to help make a team decision. In a discussion, people want their own views to be accepted by the group. The emphasis is on winning rather than on learning.
In dialogue, people freely and creatively explore issues, listen deeply to each other and suspend their own views in search of the truth. People in dialogue have access to a larger pool of knowledge than any one person enjoys. The primary purpose is to enlarge ideas, not to diminish them.
"It’s not about winning acceptance of a viewpoint, but exploring every option and agreeing to do what is right."
On August 1, 2007 I was crossing the I-35W Mississippi bridge on my way to one of my last MBA classes at the Carlson School of Management, University of Minnesota. I was on my motorcycle at the time and traffic was stop and go. That summer the MN Department Of Transportation (DOT) had decided to resurface the bridge and traffic had been pushed to the outer lanes while the scrappers and jackhammers were busy removing the old surface.
The bridge wasn't just vibrating it was bouncing! I could feel its momentum beneath my tires and could see the cars around me rising and falling slowly. It didn't feel safe, but my thought was, "well they wouldn't be doing this if it wasn't safe, right?" I kicked it into gear and finished crossing the bridge pulling into the parking ramp when it happened: the bridge collapsed behind me killing 13 people and crippling some of my classmates. A minute earlier and you would not be reading this today.
The NTSB cited a design flaw as the likely cause of the collapse, noting that too-thin gusset plate ripped along a line of rivets, and asserted that additional weight on the bridge at the time of the collapse contributed to the catastrophic failure.
That day inspired two clear security mandates for me:
1. Trust but Verify
2. Build Security In. Don’t bolt it on
The first is a well-known tenant of security. The bridge falling was a wake up call for me, because I recall vividly thinking as the bridge was bouncing up and down, “surely this must be safe because they wouldn’t be doing this otherwise?”
“When you see something, say something”
Now when I see something suspicious I raise my hand and say something. This is the security empowerment mandate. This doesn’t just apply to security it’s any situation where the pattern suggests an anomaly, in security posture or business practices alike.
The second lesson learned was the icon of that gusset-plate, as a reminder that security should not be simply bolted on. Modern bridges no longer rely on gusset-plates for their strength and security. Why should modern software?
In information security the gusset-plate approach is essentially Security Operations or “SecOps” – all the structures put in place to build sandboxes around vulnerable assets. It’s the firewalls, anti-virus systems, file-systems scanners, and web application proxies.
I see the same complacency in terms of the trust by assumption that companies place into their infrastructure. Developers don’t take an ownership in the security of their systems because they have been trained to rely on the SecOps infrastructure to keep them safe in their sandboxes.
If we’re going to build modern software we can no longer afford to place our trust in the apparatus of SecOps – we must move the ball back squarely into the applications themselves – an AppSec, or SecDev program.
The old methods of trying to enforce input data types, lengths, and sanitization at the edge are brittle and do not scale horizontally. The tightly coupled coordination between Development and Operations (DevOps) to manage the Web Application Firewall (WAF) rules creates so many bottlenecks in the application delivery pipeline that few organizations deploy more than a handful of vendor supplied generic rules, hoping to filter out the most basic attacks.
Instead of relying on web application firewalls and proxies to try and prevent, let alone detect, malicious activity, we must embed that capability within the applications themselves. The developers know what is an anomaly – they code for it with structures like “assert()” and “try/catch” blocks. By linking in a standardized logging system that can feed into an enterprise Security Information and Event Mangement (SIEM) system, malicious activity can be discovered AS IT’S HAPPENING in a way that scanning log data can’t even match.
“Don’t try to train developers to code securely. Give them secure code”
By collapsing towards a set of hardened input sanitization routines we can wipe out most of the OWASP Top Ten exploitable defects. And since few developers have a passion for rolling their own, it behooves us to find and promote secure tools that they can just leverage. Later in our maturity we can add rules to our code scanning tools to detect if the approved libraries are being used adding in a layer of enforcement.
Once input sanitization has been handled and security events are being consumed by the security logging tools, focus on standardizing authentication and authorization handling. You’d be surprised at the number of exploitable systems that can leverage authenticated sessions to pivot and access other assets because the developers did not think to confirm that the entitlements were bound. “I have a valid token or session cookie, let’s go and modify that user number that was passed in as part of the session…” The ability to pivot on credentials is not the kind of defect you’re going to find from code or vulnerability scanning. Very few penetration testers are going to find it either. The best method is to “trust but verify” – demand to see evidence in the log files that the session-handler can detect when access request is being made on assets not bound to that token.
This is the essence of a SecDevSecOps approach:
1. Trust but Verify
2. Build Security in -- don’t bolt it on
Tweeting about #SecDevOps on Twitter @TheLittleDuke
Abstract. We propose a system based on a Bitcoin like cryptocurrency model whereby participants use Proofs of Identity tests in order to have certain digital identity elements linked to public key cryptographic keys such as ECC based PGP in order to be entered into a public ledger system known as a blockchain. We contemplate a nominal reward system for passing Proofs of Identity such as responding to an encrypted email and posting their IDCoin address on their social media networks that would demonstrate positive control of a given account. Participants would be encouraged to perform key-signing for anyone known to them in order to build a Web of Trust. (WoT). The rewards (aka tokens or simply “coins”) would then be eligible to be “spent” on reputational events which would also be entered into the blockchain. Reputational Events could be anything from signing another members public key to expressing an opinion about another member of the WoT to rating a transaction or the IP address of an email server to real world things such geolocations or the license plates of automobiles.
“I don’t know how you do it!” Bob said as Julie entered her managers office late Friday afternoon. “You keep knocking it out of the park. Come in! Come in! Have a seat. I’m just trying to get some lunch in.”
“I can let you in on a little secret if you promise not to tell anyone?” Julie smiled as she closed the office door and took a seat at the small round table near the whiteboard.
Bob set his sandwich down, and wiped his mouth on the soiled napkin clutched tight in his hand. Since arriving at Bingo's Boutique he had steadily found less and less time to eat a proper lunch having taken on an ever increasing number of direct reports. What used to be an hour long one on one meeting with her boss every other week now had to be squeezed into 5-15 minute standup meetings, often with little more than a half hour advance notice.
“Go on” Bob said as he eyed the sweating ice tea in the paper cup from the sub shop that he routinely sent his assistant on a errand to retrieve him food. He picked it up and tried to find the straw with his open mouth.
“It’s not because I’m qualified” Julie said, lowering her voice in a mock conspiratorial tone.
Bob leaned in pausing mid sip from the cup. A drip of condensation glistened in the afternoon sun shining through the westward window. The bead of water slowly made it’s way down the large waxy surface and dangled from the bottom of the perforated edge twinkling and sparkling.
“It’s because I'm over-qualified” Julie cracked a wide grin as the water drop fell onto Bob's unguarded suit pant leg.