Cybersecurity: It’s All About the Coders (Thoughts on My TEDx Talk)

I recently gave a presentation at the TEDx San Antonio conference on March 5th, 2016 held at Rackspace Global Headquarters. This was a tremendous experience and I got to meet and share ideas with a bunch of great folks. Here’s a video of the talk:

And here’s an interview I did with Jennifer Navarrete afterward where I got to expand on some of the topics from the talk:

This was probably the most challenging presentation I’ve given to date for a number of reasons:

  • Time constraints – The talk was only 6 minutes long. For a person who loves the sound of their own voice – like me – it can be hard to get through an intro, much less make a cogent argument for … anything in 6 minutes.
  • Audience – The information security community has a tendency to talk within their own echo chamber of like-minded individuals. This is great if you want to do a technical deep-dive into a topic or act like a curmudgeon. But the TEDx audience is well outside the infosec echo chamber. While they tend to be technology savvy, they aren’t necessarily technical individuals. They’re not programmers. And they’re certainly not information security professionals. I actually started out as an “alternate” on the TEDx San Antonio program – and I suspect this was because there were well-justified fears that a presentation about information security issues would be arcane and boring for the audience.
  • High stakes – I have a lot of experience as a track speaker and a little bit of experience giving keynote talks. I can usually pull together material from research I’ve done or statistics we’ve developed through the course of our work. And, the audience generally has a very similar background to me and is ready to listen to what I have to say. But TEDx talks get a lot wider distribution than anything I was used to. There were a couple hundred folks in attendance that day, but – more important – the edited video lives out there in the TEDx ecosystem forever and tends to get a much wider distribution than any of the talks I previously had recorded. I never feel nervous speaking in public, but my TEDx talk had me scared to death because I didn’t want to screw something up that a lot of folks were going to watch.

Initial Thoughts: Terminology

Starting out, I knew I wanted to speak in terms that I felt would resonate with the audience. So being “technically correct” – which is the best kind of correct for us pedantic, technology people – had to take a back seat to using words that would immediately resonate with the audience. I didn’t have the time to slog through a lot of definitions, and, more important, I didn’t figure the audience really cared. So I used the dreaded word “cyber” in the talk title because the audience knew what it meant. Or at least they thought they did and it got them thinking in the right direction. I tried to talk about “coders,” rather than “software developers,” for the most part with the hope that that would get the idea across while sounding less formal and having fewer syllables. I made a couple of passes over the text of my talk to try and remove jargon and replace it with more natural language, even with a loss of precision and accuracy.

The Talk Itself

As mentioned above, communicating anything in six minutes is a challenge for me. I had to cut a lot of corners and gloss over a lot of details that I actually think are important. BUT I did have six minutes, so I wanted to make the best of it.

Technology Is Critical for Society / Technology Impacts Everyone

It seems silly to bring this point up, but I wanted to start at a place everyone was familiar with and would agree with and build my argument from there. If I were talking about something everyone knew about and everyone agreed on then I would have probably started with some sort of snarky controversial statement. But I was talking about application security, which I assume basically no one in the audience knew about so I wanted to start on familiar ground. Because “TED” stands for “Technology, Entertainment, Design,” I didn’t figure this would be terribly controversial and would instead be a way to get everyone on the same page.

I think it is also important for folks to understand just how pervasive technology has become. Again – this is a bit of a well-accepted truism at this point, but is important to set the stage for the rest of the talk. After covering this ground hopefully everyone will at least agree that this talk has some bearing on their lives.

Security is Critical for Technology

I thought it was really important to expand the scope of “security” beyond just a discussion about financial data. Credit card breaches are an easy to understand phenomenon for a layperson, but the impact for the individual is typically not that bad. But I also thought it was really important to highlight the fact that not all security breaches are recoverable – for example the case where medical information is disclosed. If I would have had more time, I would have probably talked through some scenarios about how everyone’s FitBits were trying to kill them – or at least how they could try if directed by some malicious hacker. But there just wasn’t time.

Along those same lines, a week or so after my talk I ran into someone when I was out to lunch who recognized that I was wearing the same t-shirt that I had worn to TEDx. I wasn’t terribly surprised that I was wearing the same shirt because I own about five shirts that I just rotate on a daily basis and they’re all CrossFit or GoRuck themed. I was however surprised that someone recognized me out wandering around in the “real world” after my talk. He asked me, “Why didn’t you talk about the FBI trying to break the iPhone encryption?”

There were a variety of reasons I didn’t. First of all, the Apple/FBI news broke well after the talk had been pretty well “baked in,” but also, I had really limited time. If application security was a topic that was all but impossible to cram into six minutes, opening the can of worms around an encryption debate was a non-starter. But I liked that I got that question – kinda because someone recognized me from my TEDx talk so that now means I’m famous, but also because he linked the questions about breaking into iPhone encryption with the idea of cybersecurity and secure systems in my talk.

Hopefully people who watch the talk will walk away with a better feeling about how the security of the technologies they use can potentially impact their lives so they see that security isn’t just about financial info, that it isn’t just something banks and hospitals have to worry about, but instead is something that all organizations and individuals need to at least consider.

Technology Is Basically All Software So Coders Control Security

To get folks thinking a bit more deeply about the technologies pervasive in their lives I went on to talk about how software really forms the underpinnings of all the cool technology innovations these days. Hardware is something that is very … tangible. So, it is easy to think of technology as racks of servers connected by miles of cables. But these days that is really just a bunch of plumbing. As I said in the talk, even components thought of as “hardware” are also running software, and anything really valuable and cool you do with technology has the bulk of the heavy lifting and innovation done by software.

So, if the coders are the ones who are really building all the cool technologies that people get to use, that means they are the ones who have to make sure those technologies are built to be secure. This required a bit of hand-waving and proof-by-assertion because the last thing I wanted to do was launch into some sort of formal proof. But for people familiar with how systems are built, this is something they should think more about.

Coders Don’t Know Security So We Need to Change the Way We Create Coders

I’m proud to have attended Trinity University, and I was especially proud to have one of my professors, Dr. Paul Myers, in the audience at my TEDx talk. Hopefully, he didn’t take offense at my comment about my education being “reassuringly expensive” or all the tricks we used to play on professors. In addition to a great liberal arts education, Trinity University provided me with a top-tier vocational education to be a professional computer programmer. And the lack of security in my curriculum wasn’t a surprise – I think most universities have a lot of trouble teaching computer security topics. A lot of professors don’t have a strong background in computer security, and those that do are often focused on over-the-horizon research or crypto stuff rather than the more practical concerns that industry practitioners are focused on.

Unfortunately, that means we have created an “installed base” of professional programmers who have insufficient knowledge of secure design and development concepts. The people building the software we rely on often don’t know the most basic of security concepts when they are released into the wild to start developing software. It should come as no surprise that the software these folks release is riddled with security weaknesses and vulnerabilities.

How Do You Get Coders to Care About Security? Ask the Question: What Shouldn’t the Code Do?

I’ve had the opportunity to speak to a number of undergraduate computer science courses about security and those experiences informed this portion of the talk. Time after time when I’ve talked to students, I’ve found that they’re interested in security, but just don’t have sufficient context to tackle a lot of the topics that “industry” employers will ultimately need them to comprehend. Some of these issues are technical: How do you talk about SQL injection to a student who has never taken a database course? How do you instill an understanding of cross-site scripting (XSS) in a student who has never built a web application? But other issues go beyond the technology. How do you convince a student to care about PCI compliance? How do you get a student to care about HIPAA? The sad truth is that you usually can’t.

That’s what I tried to communicate with my vignette about SQL injection and PCI compliance. Students just don’t care about a lot of things that information security professionals care about. At least, they don’t yet at the education stage of their careers. And the common “person on the street” doesn’t either.

One of the great aspects of preparing for TEDx talks is that you have to do one or more “curation” sessions where you give early versions of your talk for the other speakers as well as for your “curator” – a kind of handler who makes sure that you’re ready to give your talk. (By the way – many thanks to my curator Hart Hoover. Thanks for staying on me and making sure I was ready!)

As I mentioned above, I think there were concerns with the folks running the TEDx conference that a talk about cybersecurity would be too technical, too arcane, and not of interest to the attendees. When I launched into my spiel about databases and SQL injection I could see the body language of the organizers who were at the curation session and they were getting a bit nervous. When I started talking about “PCI-DSS” I could see a couple literally cringe in the back of the room. And that was exactly my point – the average person doesn’t care about security like an information security professional does. Not even close.

Fortunately, the joke worked in the curation session so I kept it in for the actual talk. It got a laugh, which, at the end of the day, was all I really wanted. And hopefully that helped to illustrate the futility of how we all too often try to communicate security concepts to students.

Framing the discussion as one of compliance or one of cryptography is destined to alienate far too large a percentage of those exposed to it. But if we can look at security through the lends of misusing software and with the challenge of making systems resistant to misuse, then I think we have a better chance to pique students’ interest and inspire them to dig deeper. My hope was that this was a simple enough concept for laypersons to take with them.

In Closing

I feel like the talk ended abruptly. Probably because it did. Just like this paragraph.

I spent a lot of time building up my argument, but because of the background of the attendees I had to spend the vast majority of the time laying out the landscape. Given more time, I would have loved to have spent more time talking about the economic drivers and other incentives shaping how organizations and individuals build software, but:

  • That would have been hard
  • I’m not sure most people want to start getting that deep into the world of cybersecurity

As it ended up, I did manage to sneak in one final thought that I hope people take with them – in addition to getting coders to ask questions about security, I also want people to go forth in their lives and start asking those questions of the companies providing them with technologies: “What have you done to make sure this technology only does what it is supposed to do?”

Security is all about incentives, and customers have a unique ability to create incentives for the companies they buy from. If the market demands security then companies will do a better job of delivering.

So How Did I Do?

I suppose that you, the reader/viewer, will be the ultimate judge. Personally, I was happy with how it turned out. I did receive some feedback I liked such as:

  • “Good talk that even I understand”
  • “I’ve actually been able to relay the concept of your talk to others! Thanks for making it meaningful and accessible!”

Feedback like that was really encouraging. But that was from people who are inclined to be nice to me.

Not everyone agrees. I communicated via Google Plus with Dan Borges who said that he “fundamentally disagree(s)” and that I was “promoting misinformation” by suggesting that coders had a high degree of responsibility for the security of today’s technologies. He highlights the human factors that go into many security breaches and my lack of discussion about defense in depth and response times.

Those are fair criticisms of the argument I laid out, but, yet again, I’ll take a cop out and blame my time constraints. Also I’m not sure anyone would have shown up for a talk titled “Cybersecurity: The Coders Have a Role to Play, But There’s Other Stuff to Worry About, Too.”

Information security is obviously far too broad of a concept to boil down into a single presentation, and this is even more so when the intended audience probably hasn’t thought a lot about the topic.

TEDx talks are supposed to be about “ideas worth spreading” and my hope is that folks left my talk with a new perspective on the security of the technologies they use, and a bit more curiosity about the people who actually build those technologies. If I accomplished that, then I’ll consider the endeavor a success.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *