A transformative change in how security ops and devops staffs function is needed in order for organizations to get ahead of the curve combating cybersecurity issues, said Square's head of security Dino Dai Zovi during his Black Hat 2019 keynote address.
Dai Zovi began his talk by taking the almost packed house at the Mandalay Bay Events Center through a quick pictorial history of his 20-plus Black Hat visits. From the snapshots taken in the late '90s and early 2000s, all featuring a series of bad haircuts and poor facial hair decisions, it was obvious that more than Dai Zovi’s appearance has changed over the ensuing years, primarily his approach to the job.
He spoke of how he moved from being a one-man show who spent his time simply searching for software vulnerabilities in his spare time to someone who realized the need for automation and teamwork to do the job properly.
The transformative change for Dai Zovi came, he said, when he moved to Square in 2014 and saw how the security team was actually consulted by the developers while a product was being developed. That led him to come up with three basic lessons he believes every company, municipality and organization needs to implement to successfully protect itself.
The first is to "Work backwards from the job." He explained that the emotional and functional aspect of what is being created or worked on has to be fully defined at the start, or else the needed steps to properly develop and secure the final product cannot be put in place.
The second is to seek and apply leverage. This is leverage in the traditional Archimedes sense, meaning to apply enough force to move an object -- in this case cybersecurity -- forward. This leverage can be in the form of automation, such as a fuzzer. Not only does a fuzzer make an analyst’s job easier, but that same fuzzer could be shared with the development team, where its use will create additional leverage, as there are normally many more developers in a company than security personnel.
The final part is culture, with Dai Zovi calling this more powerful than strategy or tactics. The primary point here is building in flexibility and an open mind.
“Don’t start with no, start with yes. This keeps the conversation going and makes it collaborative,” he told the crowd.
Dai Zovi was a last-minute choice as keynote. Rep. Will Hurd, R-Texas, had been slated to deliver the traditional opening day remarks, but he was pulled by Black Hat after complaints arose over his voting history in Congress. In an unrelated decision, Hurd just announced he would not run for re-election.