"What Could Possibly Go Wrong?" - Thinking Differently About Security presented at AppSec USA 2013

by Mary Ann Davidson,

Summary : Almost all security professionals have one or more headshaking security stories caused by everything from sloppy design to execrable coding to insanely asymmetric risk assumption. Technical acumen is not enough if we want to improve actual security (instead of improving our job security): we need to think about, and talk about, security differently. This means absorbing the language, constructs and lessons of other disciplines from economics (systemic risk) to military history and tactics (force multipliers). It means understanding the limits of technology, that there are "unknown unknowns" and that humans are all too fallible (and there's no upgrade coming). Lastly, it requires the techno-proficient among us to learn to de-geek our speak so that we can express security concerns in terms that decision makers and policy makers can understand: "barbarians are at the gate" is so much more understandable and actionable than "there's a manifestation of a theoretic weakness in the Visigoth detection protocol."