Black Hat 2019 keynote: Software teams must own security

LAS VEGAS -- Creating a culture where software teams are responsible for their own security will lead to significant improvements, Dino Dai Zovi said during his Black Hat 2019 keynote.

Using his own personal journey as a platform for infosec lessons learned, Dai Zovi, head of security, Cash App, at Square, told the Black Hat 2019 audience why communication, collaboration, understanding, feedback and automation are the keystones for cybersecurity.

Dai Zovi, who joked that he was given the keynote because it was his 20th time attending Black Hat, described his experiences over that time and how they shaped his view of software and security.

"Software is the universal substrate of value today and is a key success differentiator for many companies just by being good at software delivery," Dai Zovi told the crowd. "Given where we are in security, where we need to really scale up to challenges that we're facing, I think fully embracing software and being good at this is how we meet this challenge."

Part of being able to scale and meet challenges comes through security automation, Dai Zovi said. And, one of Dai Zovi's first lessons in automation came at his first ever DEF CON where he was pitted alone against a team in a capture the flag contest.

"One of the other teams, they had like 10 or 20 people working on the same challenges I was, and I couldn't compete with them by myself. They had one person fully dedicated to just waiting until I logged in and killing my process," Dai Zovi told the crowd. He described how he wrote a script to kill the processes of the opposing team and frustrated them, which allowed him to work unimpeded. "I learned a very valuable lesson that day. Automation in software can be a force multiplier. Using leverage can actually help you compete when your opponent has more resources and more people than you."          

That lesson was reinforced through Dai Zovi learning about fuzzers and during his first infosec position where he was the lone person in charge of security at a company and needed to automate various actions like patching because it would otherwise be too much for one person. But it was his time at Square where he learned how making security the responsibility of everyone improved collaboration and empathy.

"If you make a team own their code's quality as opposed to a separate QA [quality assurance] department that tests for them, you get higher quality code. And if you have the team own their own stability, they know the code and they can fix it," Dai Zovi said. "When you hand the code over to someone else, they feel the pain without the ability to fix it. So, aligning the pain with the agency to fix it is actually an important concept."

"We can think of everything a security team does as offering a product or service to the rest of the company and I think that is the true job that we should focus on," Dai Zovi added.

He added that this method puts the security team in more of a support role. If software teams know that security is their job, they take it more seriously, Dai Zovi said, and when security is everyone's job it moves toward a generative culture, referring to the Westrum typology of measuring the culture of an organization.

Dai Zovi argued that generative cultures should be the goal because they respond the best to issues through cooperation, sharing responsibility for risks and feedback loops to determine why failures happen and improve future processes.

He also warned that fear can impede progress, but overcoming it is a matter of understanding and establishing feedback loops to encourage incremental progress toward a set goal. And, he added that incremental progress over time is how the best software is created.

"Hardware is built like a building -- you build the foundation, then you build the next layer and the next layer -- but I think better software is grown and you channel that growth like a tree," Dai Zovi told reporters after the keynote. "That results in better software much more attuned to the needs of its users and embraces the core thing about software that makes it software, which is that it's malleable."

Dai Zovi said the last key is to start by saying "yes" rather than "no."

"If we can create a security culture change in every team, we can scale a lot more powerfully than we can if security is only our responsibility," Dai Zovi said. "We need to engage the world starting with 'yes' and here's why: It keeps the conversation going. It keeps the conversation collaborative and constructive. That's how we create real change and have real impact."