Using the same password to most (or all) of your accounts is like using the same key for all the doors in a city. When a data breach like those we often read about happens, it’s like someone just copied that key (and many others). The attackers instantly gain access to everyone’s homes at the same time. It’s unsettling, isn’t it?
This is just one one of the reasons I got interested in cybersecurity: because it changes your mindset and the way you make decisions. Once you understand it, you start to see your own choices in a very different light and you start to question them, to ensure they make you safer and more resilient in protecting your work, life, and the people you love.
In this episode, John Opdenakker explains to us what cybersecurity means, who can be affected by cyber-attacks and how you can protect yourself from them. So take a listen, and learn the basics of this sector that is no longer confined to the interests of technical-minded people.
Listen to this episode to learn:
- The importance of cybersecurity in our lives.
- The main characteristic of cyberattacks.
- The importance of using a password manager and how to turn it into a habit.
- How technology can protect us.
- Why cybersecurity can be understood by anyone, regardless of their area of expertise.
A few ideas that stuck with me:
- Anyone can become a victim of cyberattacks: Our entire life is online nowadays, whether we realize it or not. It’s become almost second-nature to us. We’re all users of technology to some extent, and this means we’re also responsible for protecting everything that we put on our devices. Back in the day, we might have thought that only big companies could be hacked. But now, since we’re all connected, we can be victims of random attacks that can erase our entire digital memory, in a second.
- Cybersecurity impacts our decision-making process: Once we become aware of the risks in the virtual world, we start paying more attention to what we do offline. We become more careful with the data we provide to different organizations – such as hotels – and we take measures to better protect our accounts – by using password managers, two-factor authentication or any other methods.
- Cybersecurity should be taught in schools: Kids nowadays were basically born with a smartphone in their hands and many of them don’t understand the concept of security and protecting their data. It’s up to us to teach them the risks and one way we can do that is by introducing the subject into their school curriculums. This can help to raise awareness to a larger public, such as their parents and even grandparents and it can also lead them towards becoming information security specialists themselves.
About John Opdenakker:
John started his career as a developer for desktop applications, C++, C-Sharp, and web applications. As time went by, and he built and launched increasingly more web applications, one question in particular concerned him: how could he protect all the apps users’ data against attackers? To find the answer to this, John began to dig deep into the cybersecurity world, thus becoming an expert in this field.
John now tries to raise awareness on this topic by writing and publishing approachable, easy to understand articles on his blog, all on cybersecurity topics. He’s also very active on Twitter, where he tries to answer any question the general public might have and engage other Twitter users in constructive conversations about their data protection habits and perceptions.
Key Discussion Points:
03:51 – The main reason why most people have a difficult time relating to cybersecurity;
08:17 – What attracted John to the information security industry;
09:35 – Hack Yourself First – how a workshop that helps you see yourself through the eyes of an attacker changed his perception of how vulnerable he was online;
19:26 – What changed in John’s offline behavior, once he started learning more about online security;
23:08 – The importance of using a simple security measure, such as two-factor authentication;
26:33 – How to understand the concept of risk and why risk is important to decision-making regarding security;
32:18 – How to handle decision fatigue, as a cybersecurity professional;
37:13 – How a penetration test (pentest) can be useful for a fact-based perception and management of risk;
40:42 – The reasons we don’t perceive online risks as important to our safety as the offline ones are.
Connect with John:
Resources mentioned in the episode:
Resources not mentioned in this show but that I created to help you improve your online security:
- this cybersecurity glossary so you can understand what these technical terms are all about
- this Cybersecurity for Beginners course I created a few years ago with my former team at Heimdal, taken by tens of thousands of people around the world
- The Daily Security Tip: a string of daily, fun emails you can get in your inbox. Get a practical tip each day and a fun GIF to make securing your online stuff anything but boring.
Alternatively, play the episode in your favorite apps:
Full episode transcript:
Andra Zaharia: Hi, John! Welcome to the How Do You Know podcast. I’m really excited to have you here! It is the first time on this podcast that I have someone from the information security industry, which I’m really happy about because it’s a big part of what I do and what I love. So, welcome to this show!
John Opdenakker: Thanks, Andra! Thanks for inviting me, and it’s nice that you invited me as the first Infosec person. That’s a big honor!
Andra Zaharia: That is very kind of you! We’re going to share some different perspectives today around decision-making and around the way that we perceive and the way that we use technology, the way that it shapes our lives. This is something that everyone is starting to talk about a lot more. As you know, cybersecurity has started to come up a lot more often in the news and outside the industry, which is a really good thing, but, on the other hand, what brought it into the spotlight are a bunch of cyber-attacks and data breaches and a lot of incidents that compromise our safety. So, I’m really looking forward to learning from you and talking about these issues and helping other people understand them from a non-technical perspective because usually people get pretty much scared when we start talking about things like APTs and malware types and strains and things like that.
John Opdenakker: Yeah.
Andra Zaharia: So, I wanted to ask you, just to help people understand, who maybe don’t think about this too often, why is cybersecurity so important for our lives?
John Opdenakker: Well, you just said in the introduction, that if a company suffered data breaches – their website gets hacked – as a result, millions of users, their usernames and credentials get stolen and passwords get stolen. What this means is that attackers can not only gain access to this website but also to all other websites for which these users re-use credentials. But it’s not only that; it’s not only websites that get hacked. Our entire life is online nowadays. Ten or 15 years ago, it wasn’t like this, but now everything is connected to the internet. And it’s also not only data breaches, there are also malware attacks, and it doesn’t have to be sophisticated – because you were talking about APT. Zero-day is also something which is very popular in the Infosec community. So, Zero-days are bugs that are exploited already, but not yet, not even yet known by the vendor. That’s not our biggest risk. The biggest risk most people have is just scripting attacks or, let’s say, ransomware attacks – just malicious links or attachments, and once they click, either they come on a phishing site, or they get infected with ransomware – which encrypts all the files on the machines, and then they don’t have backups. These are real-life problems, not those fancy-named Infosec terms, but everyday problems which all users suffer from, like the ones I named.
Andra Zaharia: Yes, that is so true! I think that one of the aspects that make cybersecurity so difficult to relate to, for most people, is that for a long time, people thought of this specialization, of this sector, as something that is only for technical-minded people. But the truth is, now – as you mentioned – that we’re all hyper-connected, and we’re not even aware of it anymore, it’s become second-nature to us, that we are users of technology and we have become techies to some extent, and that automatically involves the fact that we’re also responsible for how we protect everything that we’ve put on these devices, which is, well, most of our lives. This exposes us to a lot of things.
John Opdenakker: Yes, exactly! And then, what you said there – without even knowing it – that’s a very good remark! Important nuance. A lot of people don’t even… Yeah, maybe they know, but they’re not aware they’re online. Well, almost. It’s like it’s becoming our nature.
Andra Zaharia: That is true! So, it’s very interesting to touch on these topics because I think people do this usually reactively – they react to an incident that happens to them at work or at home – they don’t think about it proactively, or very few people think about preventing cyber-attacks and privacy issues. And I’ve seen this happen a lot around me. What worked, was me trying to draw a parallel between their online lives and their offline lives. Because, for example, having the data breach would be like using the same key for all of the doors in a city, and then someone would just be able to copy that key and just break into everyone’s homes at the same time, which, if you think about it, is incredibly scary, and that’s exactly what’s happening online, but without us seeing it and without many people knowing it, and I think that makes it very dangerous.
John Opdenakker: Yeah, exactly. I also wanted to point out what a lot of people don’t get is that most of these attacks are not very targeted. It’s just mass attacks. They’re just like phishing – yeah, you have spear phishing, which is very targeted, but most phishing attacks are just mass mailings in the hope that a fixed percentage of users will fall for the phishing attack. A good example of this is credential stuffing, for instance. Credential stuffing means you have a list of usernames and passwords from one data breach and they just try to login with this list of credentials to another system. I mean, this is not targeted. This is just a list of stolen credentials – and if you re-use them, you know what’s happening; unless the website protects against this kind of attack – probably, most websites don’t – so, you know what can happen. So, this is what a lot of people don’t understand. And then, I like what you said, that you draw parallels with their real life. It’s not always that easy to translate that one-on-one, but I try to do that as much as possible – just that it relates to them as well.
Andra Zaharia: I completely agree because cybersecurity has only been around for 30 to 40 years – not even 40 years – so it’s a rather new sector. We tend to think of our lives now, and accept them, and forget that they haven’t always been this way, especially for younger generations who were born almost with a smartphone in their hands. So, for them, it’s even more difficult to understand how it was before. I find sometimes that older generations are a bit more aware of the risk, but that doesn’t apply to every situation in life, and I hope we get to talk about this a bit further on. But I was curious, how did you start exploring the security path, and what attracted you to this industry? Because your background is in development; you have a technical background, but you didn’t start out 100% on the cybersecurity path. So, I’m curious what got you interested in this field?
John Opdenakker: Well, like you said, I was and I still am a developer. I’m developing less and less, but I started as just a developer of desktop applications, C++, C-Sharp, and then web applications, and we started noticing that the risk of a desktop application means the attacker has to be in the network, if you have an on-premises application. Once you’re deploying web applications, it’s becoming a whole different story and then we started asking the question of “How can we protect this? We have this database with the data of all of our users. What if something happens?” And then, you start realizing, “Oh, there’s more to it! To defend this, you have to learn about it.” I got the opportunity to attend the workshop of Troy Hunt – a famous security researcher – and that really got me interested. That’s called, “Hack Yourself First” and what he does in this workshop is you get to hack an application, so you put the head of the attacker on, let’s say, and this is really interesting. Then, you get this insight of, “Oh no! Seriously? Is it that easy?” If I make a simple mistake, let’s say, if I have a SQL injection risk, there’s a tool and I can just put in the URL there, click a button, and I can suck out all the data of the database. And then, I knew how to defend against SQL injection, but there were other risks. It got me interested, and I never stopped. And then, aside from that, I started to – that’s on a personal level – write a blog, just being active on Twitter, and things like that. And yeah, before you know it, you’re addicted to Infosec, I guess. So, that’s a bit of how it went for me.
Andra Zaharia: That is so true! I think that once you start discovering this world, you start to get fascinated by it, because at the end of the day, I think that one of the reasons that I got so interested in cybersecurity is that it changes your mindset. It changes how you make decisions. When you put the head of the attacker on, just like you said, and see all these opportunities to do damage, as the attackers have, you start to see your own decisions in a very different light and you start to question your choices to make sure that they are safer ones, that they are better ones for both yourself and your loved ones. I feel that when you take on this role, when you start to understand cybersecurity, you feel responsible for other people – first, for your family and your friends – because now you understand more than them, now you know more than them, and you want to help them be safe because you know what can happen; you know they could lose pictures of their loved ones because no one prints everything anymore, and they could lose their work, and they could risk their jobs, and things like that. You just want to naturally start spreading all this information and try to educate others and try to simplify things so people don’t get intimidated.
Andra Zaharia: I was actually on the phone, earlier today, with my mom – I got her a new laptop – and she switched to Windows 10, and there were a bunch of changes, and she was just like, “Oh my God! Things got so complicated!” And I know that’s barely scratching the surface. She kept asking me, “Is there any way for you to make these passwords a bit simpler for me?” I haven’t set up a Password Manager for her, yet, but I’m almost doing that for her. She doesn’t have that many and I highly recommend using Password Manager. I was trying to explain that, “No, I can’t set weaker passwords or simpler passwords because that would mean exposing you.” And I just had to convince her to trust me that it’s worth the effort of doing something like this.
John Opdenakker: That’s a funny one! I had the same discussion with my dad. He was getting really annoyed with something and, yeah, sometimes websites give you a hard time, let’s be honest, so even for Password Manager users like myself – and you, obviously, if I understood you correctly – it’s sometimes hard because they prevent you from pasting passwords or they give you a hard time to just create a password; you have this lovely 50-character-long password, which is really random, and then the site says, “No” or the site accepts your password and then when you try to log in, the site truncates it. Now, going back to my dad, I convinced him as well. I said, “Look, this is important!” And then, I explained what I explained earlier on about the credential stuffing, just in human language. This is what happens when you re-use a password. He said, “Okay, that’s good.”
John Opdenakker: But my dad just writes them down on a piece of paper, and that’s okay. For his technology is fine because, then, someone has to steal the paper out of his office – let’s be honest, burglars won’t look for your passwords. He doesn’t use a smartphone – maybe that’s exceptional because most people have a smartphone, but in his case, this is perfectly okay. And even when you use a smartphone or you need your accounts on other devices, you can carry the piece of paper, just take care of it, keep it safe. But yeah, this is the kind of purism I hear a lot in Infosec community – people are losing their minds often when you say something like this. But each case is different. Like I said, for my dad, that’s perfectly fine, it’s nothing wrong with that. And, as far as your mom, I don’t know, it could be okay, as well. It all depends. And then, if you can teach her to use a Password Manager, that’s even better. For me, that’s not necessary, let’s say.
Andra Zaharia: I highly agree with the fact that security doesn’t have to be complicated to work; it doesn’t have to be perfect to work – in other words, there’s no such thing as perfect security, even if you do everything by the book, and then some, you’re still at risk of someone who’s very motivated finding a way to get to you. So, there’s no perfect security. And yeah, about this purism – I had a conversation with someone a few weeks back, it was actually with a group of freelancers, and I was talking to them about the importance of keeping your stuff safe, especially if you have logins that you manage for your clients because those are super important! You don’t want to share those, and emails, and plaintext, on WhatsApp – please, don’t do that! Everyone who’s listening, please don’t do that – or in any way that they could be easily accessed. And someone with a tech background came and said, “Yes, but the surefire way to make sure that you really stay protected, is to use Linux.” And I was like, “I know, but most people, like, 99% of people will never do that because Linux is not for your everyday user.” So, instead of trying to change their lives so fundamentally and getting them to use another operating system, let’s just try to fit some security into their habits. We don’t have to change their entire lives, from a technical perspective, just to make sure that they’re safe because no one is going to go for that type of change. So, yes, purism, I don’t think it really helps anyone.
John Opdenakker: No, exactly! What you say is so right, but the problem I see – that these people know as well – is, like you said, I think the market share is less than 1% of Linux. So, they know that as well, so why can’t they translate the message, to the average user? I honestly think we’re missing that a lot. We’re echo-chambering. For instance, on Twitter I see it all the time, we’re like, “Oh, yeah, but this solution has this and this kind of potential risk?” “You’re right, but the users are just re-using passwords everywhere.” I mean, everything is better and each step that you can improve their security is a win. But it’s difficult, it seems.
Andra Zaharia: It is! And I think it’s going to take some time because – while I’ve been doing this podcast and reading a lot about decision-making and how habits form – decisions are very tied to habits. To have a habit, you have to start with making a decision and keeping up and following through on that decision for a long time until it becomes a habit. Just like, for example, using a Password Manager. I always tell people, when you start using it, don’t force yourself to put in and update all your passwords at once because it’s going to take a lot of time, you’re going to get frustrated and you’re going to abandon the process. Just do it gradually, as you go along. When you log into a website, change your password, add it to your password manager and just go through these websites one at a time until you go through all of them. And this kind of change in our mentality and habits will take a long time, and I feel like – as I was mentioning – it’s our responsibility to try to help others understand why this is important and how this changes your perspective, both around your online security and your offline security. And I was really curious, once you started getting into cybersecurity, did anything change in how you conduct yourself in offline spaces?
John Opdenakker: Yes, obviously! My girlfriend thinks I’m paranoid sometimes.
Andra Zaharia: So does my boyfriend.
John Opdenakker: And yeah, I think everyone who’s doing security knows this. Five years ago, they asked for my ID and then I just gave it to them. It could be for anything, for something stupid, “Hey, can we just have your ID, so we run something?” And then, they take a copy of your ID. Why? Why is that necessary? If you check-in at a hotel, all this is personal information. Ten years ago, I never thought that all this personal information ended up in an online system. You can think that’s naive but it isn’t, because people don’t think like that. But if you’re in this business and you know how the overall security of some systems is, then you’re like, “Oh, no, no, no! I’m giving you the bare minimum that you really need.” Stuff like this. And then, I’m trying not to be paranoid but I think sometimes I am. Sometimes there’s also a bit of trust, but when it comes to things like checking into a hotel, I think you should be careful and only provide information that’s necessary.
Andra Zaharia: Yeah! I absolutely agree because let’s remember the Marriott breach, which wasn’t that long ago. And yes, absolutely, I think that a healthy dose of paranoia is necessary and I think it can be very useful because it keeps you from making rash decisions. It keeps you from just jumping into things and not second-guessing yourself. And, if you have a job that’s mostly dependent on things that happen online, it’s all the more important to be watchful of these things, to be observant, to know where your things are, and not just to have hundreds of online accounts, use the same password for all of them and then get super surprised if one or all of your accounts get hacked at the same time and you just scramble to get your stuff in order then.
John Opdenakker: What I find particularly difficult there is – like you mentioned before – we should help people and I do that often with my dad or my mom or my girlfriend, just to improve their security. But, like I said, she thinks I’m paranoid, but I think I’m doing it for the good, so you have to find a way to convince them, and that’s a bit of a middle ground, let’s say. I try to teach them why – that’s also important – because are we just paranoid? No, you have to understand where this data ends up and it’s not easy. I see that, because you can tell people how to do it and why to do it, but then it’s mostly up to them, and if you don’t follow-up on that, they might just fall back to their habits, let’s say. Also for their online accounts. That’s, for instance, why I configured for my dad’s email account the Two-Factor Authentication. I just set it up myself, and I said, “Look, this is one of your most important accounts, I will properly configure that and some other accounts.” So, it’s not only teaching them but sometimes I think you should just help them and do some things for them to protect them. That’s my opinion.
Andra Zaharia: Yeah, absolutely! And what’s interesting about what’s happening now, and how cybersecurity is now getting all this attention, beyond the fact that it makes for very clickable sexy headlines which sometimes aren’t entirely true and sometimes are exaggerated, not in terms of how risky and important they are and how big their impact is, but in the way they’re portrayed – that’s very focused on fear, uncertainty, and doubt. It’s this principle that’s been heavily used in cybersecurity for the longest time and that everyone who’s involved in this educational part of the industry is trying to fight with constructive examples that offer also an optimistic perspective that you can do this. If we scare people into believing that they don’t stand the chance, most of them, who aren’t motivated to begin with, will just give up before starting. So, I think that it’s important to offer these constructive models.
John Opdenakker: Exactly! Just using fear doesn’t help. It helps a bit, but it can have the opposite effect. So, I totally agree with that. And let’s be honest, if you have configured Two-Factor Authentication, the risk of an account taken over is a lot less. I mean, we can go and discuss SMS-based Two-Factor Authentication, etc., but still, it’s better than then no 2FA. And even if you just use an authenticator app, the chances are still quite small that you get phished and that your credentials get stolen. So, there’s hope, but the problem is there’s no adoption. I say no adoption because, for instance, last year, the numbers about Gmail accounts with 2FA were published, and it was less than 10%. Three years ago, for Dropbox, less than 1%.
Andra Zaharia: Yeah! That is true! We have a long way to go. And you mentioned something very important earlier on, about understanding people’s motivation, understanding their why and giving them a why that is something they can relate to on an emotional level because when you boil it down, decision-making is a very emotional process. We rarely are very structured about our decision-making, we’re rarely as objective as we think we are. We react to things in an automated way, we rely on our habits that we’ve had for years and years to decide and to choose without second-guessing ourselves. So, I was very curious how you get people to understand the concept of risk because this is something that is central to your, let’s say, specialization, it’s central to your educational efforts. So, I was curious if you could share a bit on how risk is so important to decision-making, in security, in general.
John Opdenakker: Understanding risk starts with understanding the processes that are going on, without going too much in detail. So, what I try to do is explain, like I mentioned, credential stuffing – I try to explain it in human language, and I try to make clear what the risk is. So, if you re-use accounts, be sure that, sooner or later, other accounts will be taken over. Why is that? Simply because… And then I try to use facts. In one of the studies that have been done by Microsoft in 2016, 12 million credential pairs were tested against Microsoft Systems. So, that tells us that it’s something that’s heavily been done by attackers, and I hope to create an impact like this. So, if you re-use, the risk is high, and the impact will be that all your accounts – maybe your email account will be taken over – and then, the attackers can reset all your other accounts and it’s virtually game over.
John Opdenakker: So, just as an example, I try to explain the same with phishing, and then, you can also explain, even if you are phished and you have 2FA, then you’re still saved because the attackers normally can’t produce the codes on the second factor. So, I try to approach it very pragmatically, and then just explain what’s the risk, what’s the impact and how prevalent is it? I mean, for instance, Zero-days: of course, users should patch – that’s why, if you use Windows 10 now and you have automatic updating on, of course, there will be Zero-days, but that’s not your biggest problem as an average user. The biggest problem is, like I said, the phishing, the ransomware.
John Opdenakker: Last year, a friend called me in panic, “My external hard disk crashed. All my pictures are gone!” Pictures of the kids of the family – that’s a bit of drama, right? And then I said, “Do you have another backup?” “But I had a backup. This was my backup.” “No, no. You have only one copy of the data on the external hard disk?” He was lucky that it wasn’t too bad and I could recover it, but I gave him the advice to back-up. I didn’t check him, but I hope he did it because that’s again an example of what went wrong, and luckily, I could recover the files but that kind of stuff, don’t let it happen before you act. I mean, these are things that happen; hard disks crash, ransomware attacks happen all the time, so be prepared! And I try to give examples of how prevalent it is and what’s the impact and what’s the actual risk. I don’t care too much about “hacking my phone via fingerprint” and stuff like that. That’s not the typical risk for the average user, let’s be honest. They need to have your phone in the first place.
Andra Zaharia: That is so true! It’s the small things, it’s the little things that we do every day, and I know that people who are outside the tech industry – and this is not about placing blame on anyone, but rather seeing how we can contribute to our own security – sometimes they expect for technology to be inherently secure, to be secure by default, which would be great in a perfect world, but we all know we don’t live in one. And tech companies can only do so much. They can offer all these options for you to keep your account safe, they give you a lot more control than we used to have over our accounts, to be able to see, for example, if we use Gmail or any service by Google, to be able to see the devices that are associated with our account that have logged in, when, from where; we have all these tools that we can use to feel in control, to get in control of our security, of our data, of our privacy, but we have to use them because tech companies can’t do that for us. And that’s where we step in, I feel, as people who have one foot in the cybersecurity world and one outside of it, to try to bring some of this knowledge, as you’re doing on Twitter, as you’re doing with your blog – where you shared so much valuable information throughout October, which is cybersecurity month. I will link to your blog and the resources in the show notes, so people can gain access to them, so they can read them, and hopefully start implementing them as well. And, we were talking about risk and the type of decisions that someone makes with these things in mind. I was curious, how you handle decision fatigue? Because this is something that cybersecurity professionals often face, because they have to make all these choices every day because every situation is different from the other, just like we discussed.
John Opdenakker: True! Well, I can tell you from my perspective as being an application security guy. The clue to success is to have a good process in place. That’s what we call security by design. And what it means is that, throughout every phase of the software development lifecycle, you have a predefined set of controls that you have in place. For instance, it means that you do threat modeling. So, from the architecture phase on, you’re going to identify where are the major risks in your architecture and then, you have to change the architecture or you just see how can you fix it or how must you implement it, not to face any of these risks. Then, you have security testing throughout the process – and not only testing. By testing I mean static code scans, it can also be code reviews, peer reviews; for instance, if you are working with kits, if there’s a change request that someone else reviews it, but also it’s the security part of the review before it’s approved. There’s also dynamic scans, third-party scans. So, for instance, if they’re known vulnerabilities in libraries or if they’re outdated, then you will discover it early on. Every step in the process is a sort of quality gate. And if you’re doing it at the end, before a major release or before you go live, when you do pen tests, this should be your ultimate quality gate. And it should be also a quality gate for your process because you have a lot of issues coming out of the pen test – there’s always things you cannot test for – but if you have a lot of issues there, it probably means there’s something going wrong with the execution of your process as well.
John Opdenakker: So, how that relates to decision making? When you do the scans, the decision is simple – the static scans or the third-party code scans – if you have a high or a critical, just fix it within the next sprint or the next two sprints. I mean, this is all the happy part, let’s say, if you can start the development of a new module; for existing processes or applications, you also need to have something in place. You have to decide, “Okay, we have to go see, is this a high or critical risk – this particular vulnerability? If so, what are we going to do?” Based on the risk, you’re going to give priority. Maybe there are some issues and you have to escalate it to management or in the board, but you have the processes in place. And then, when you have these processes to use it’s not all of it – there are exceptions, but you’re quite good.
Andra Zaharia: I think this is very important as a framework because I have to draw a parallel here to changing your eating habits for example. I worked with a food coach – and I still work with a food coach – and what we worked on is setting up a process to help me make better decisions when it comes to my relationship with food and how I see it, not using it as a tool to cope with stress or difficult times in my life. So, establishing a process is very important for picking up a habit, for picking up and building, of course, a good habit, one that helps us, one that we may find difficult to do otherwise naturally. So, I found it very interesting, as you described your process of doing application security, is that, first of all, you have all these tools or peer reviews, which means that the automated tools or other people get to look at someone else’s work and see their blind spots. Because, obviously no one can see every type of potential situation and that’s why you go through these iterations, step by step, layer by layer, to rule out risks and vulnerabilities.
Andra Zaharia: I also wanted to explain a bit what a penetration test – a pen test – means. For those who don’t know, it’s basically when you hire a company or use, let’s say, a platform to get hacked before actual malicious hackers hack you. It’s basically having the hackers hack you so you can plug these holes and fix these vulnerabilities, so they don’t make it into the live product that’s used by millions of people. And I know that you, as an application security professional, and everyone who actually creates software that millions of people around the world use have a huge responsibility on their hands, and I think that this type of work is difficult, not only from a technical perspective, but also, sometimes, from an emotional and personal perspective because you’re accountable for so many people.
John Opdenakker: Exactly! And this mindset is very important, but it’s not much different than, for instance, the GDPR, which implies that you have to have privacy by design. If you translate that to a development process or any process you’re doing in a company, but also to the development process, you just have to value that. Security must be part of your everyday job, not something that comes on top of it, because otherwise, you will always be in reactive mode. And even if you’re doing proactively, like with a process, it still can go wrong, but at least it’s… If you’re a company saying that, then really is disgusting to hear, but that should be at the heart of everything that you do. It mostly isn’t, but that should be the mindset – it’s utopic, of course, but still, you should embrace it and then use it in your everyday work. It should be mindset security. And also, with this process, it’s maturity. I always say that you have to grow. I mean, you’re not going to do it right from the first day, but you will improve and by having these quality gates you’ll also see, “Okay, we have a lot of vulnerabilities in this phase, what’s going wrong?” You can evaluate and then you should improve because the process is one thing, but you have to learn from it and improve from it every day. It’s a cliché, but it’s like that. Once you see that a few people are picking that up, the rest of the team will follow. But you have to get it started because no one likes to fix vulnerabilities that come out of tools.
Andra Zaharia: Yeah! It’s not glamorous work. That’s true!
John Opdenakker: That’s really, sometimes, depending on the tool. That’s not a lot of fun because tools are okay, but if you have to remediate risks, it’s something you wouldn’t want to do. That shouldn’t be the driver, but anyway, it can be part of the improvement.
Andra Zaharia: It’s part of the process. I think you touched on such an important thing here, that you can’t be perfect from day one. And I don’t think, when it comes to our personal security, generally, adults teach children how to behave on the street, to be careful when they cross the street – you’re not born with these things. They don’t come naturally to us, simply because evolution has given us some reactions in the face of danger – and it’s mostly physical danger, which is why we don’t perceive the online risks as important to our safety as the offline ones are. But now that they’re so connected, one way or the other, and that our lives are so intertwined with all this technology and layers and layers of complexity, we have no choice but to educate ourselves, and to try to understand how these things work, so we can just thrive and lead happy, healthy lives in the future, whatever it may bring, because, honestly, at this point, me personally, I have no idea what’s going to happen. But I know that I want to make sure that I do everything that’s possible right now.
John Opdenakker: Exactly! We can only anticipate what we know or what we suspect is going to happen. But even then, you cannot do a lot. And again, if you draw the parallel, everyone will be upset when his pictures are stolen from him by a burglar, let’s say. But still, a lot of people don’t see the risk that’s online because it’s not visible, it’s not tangible for a lot of people. That’s a big difficulty. And also, to spread awareness, yes, but it doesn’t scale easily. I mean, you have to reach all these people, and the most vulnerable group are the people that are less aware of the risks.
Andra Zaharia: That’s an important observation, and I think that’s important to know because we should start cybersecurity education when people are very young. I know that’s something that we discuss in the industry, and I hope that we can get the institutions interested in this and interested in cultivating kids’ interest in cybersecurity because there are incredible young people doing amazing things. We had a conference in Bucharest, just a few days ago, where a 12-year-old hacker came and talked about the vulnerabilities in the US voting system. It was fascinating, and the venue was packed, and everyone was super interested. I think that children naturally capture adults’ curiosity, especially when they’re more knowledgeable than most adults, on things like cybersecurity. So, that’s an interesting thing to explore.
John Opdenakker: That’s awesome to hear! I mean, that’s actually what we need. The problem is, when I was in university, security wasn’t part of the curriculum. I honestly don’t know if it’s now already part of the curriculum. It might be, it might not be; a few years ago, I’m pretty sure it wasn’t. I mean, maybe that’s more from the perspective of defenders of application security or network security or whatever, but still, that’s a big sign that it’s still not considered important enough by some people. I don’t know why that is, but that has to change as well. And then, it’s a mix of the awareness of the users but also people building systems should be aware of security. And I see each and every day, if I just go online on websites, okay, there’s a bit of different information, of course, but I see how things are implemented in a wrong way, and then I think, “Yeah, but how can they know if they are not educated?” Maybe the company is not investing in them. I mean, if you have this really small company, they don’t have a budget for security, but they have a website; probably they made it themselves, maybe they have a third party that created it, but still, they’re not aware that their website is full of holes and then it’s difficult. It’s the end-user education, and on the other hand, the people are willing, so that’s really good to hear about this 12-year-old kid – this is our future and these are the people that need to defend websites’ applications and just use their hacking skills for the good.
Andra Zaharia: Exactly! And I hope we get a lot more interested in contributing because something that I wanted to mention is that I think that there is room for everyone who wants to understand, learn or contribute to cybersecurity in any way. I don’t have a technical background and still, I was accepted into the community, I had a lot of people to learn from, and I’m able to contribute with my communication skills and with my understanding – which is limited, and I know that – from a technical perspective of cybersecurity concepts. But still, I had an opportunity to help others cover their fundamentals and use storytelling to get people to care. Because at the end of the day, I think that that’s very important for our safety.
John Opdenakker: Exactly! You have these skills that a lot of us Infosec people don’t have. I mean, if we collaborate with people who originally are not from Infosec – and I’m also originally not from Infosec, I’m a developer – but you know what I mean, from marketing or it doesn’t matter. I mean, we all have our strengths and our skills, but we don’t seem to find a way to join forces and that’s a shame. I think that you’re making a difference by doing so, but still, the reach is not big enough. That’s something I’m trying to help improve, but it’s not easy.
Andra Zaharia: It is not. And I’m really glad that we have someone like you in the community who puts so much effort into creating all this content, into writing articles, into getting involved in conversations on Twitter, because as a content creator, I know how much work and how much time and how much energy goes into all of these things. So, my appreciation goes to you and all of the other hackers or all sorts of specialists who are involved in the cybersecurity industry, which is an industry of misfits, of people who like to challenge the status quo and to challenge, let’s say, entrenched in these habits; they like to question them and find out a better way to do them, a better way to create something that’s secure, a better way to ensure privacy. I think that these are principles, they’re ideals that are very motivating, because, at the end of the day, all this energy and all this effort actually get to help someone. And I think that, for me, personally, this is one of the things I love the most about cybersecurity because it gave me a purpose and it gave me a chance to make a real contribution to improving someone else’s life, which we don’t often get to do in many jobs nowadays.
John Opdenakker: Yeah, exactly! Also, on the other hand, I did this blog series for instance, and it was well-received, and people from outside of Infosec, average users, even non-tech users were reading it and it was shared and that made it so rewarding because if you only can help a few people, that’s a win! I mean, that’s what I like about information security – you can really help people. It’s not the sexiest job or they often see you as, “Hey, there’s the Infosec guy again – or in my case, the AppSec guy – he’s always saying, “No”. That’s also a misconception because I think you should say no, but you have to at least give a reason why. I see too much black and white, and in my job, I never try to block things. Okay, if there’s a critical risk, it must be fixed, the system must be put offline, there’s no discussion. But mostly, there’s some kind of middle ground. You can say, “Okay, we have to do it like this. The risk is quite high, but we can do it this way, so we don’t disrupt you from working, but we’re going to change this and this. Talk with people, make them understand why and the same with everything. I think there’s too much purism or absolutism, and that’s not a good posture for a security guy, I think. You have to get people involved and get them willing to work together with you and make them part of the security team.
Andra Zaharia: Oh, yeah! I love that observation.
John Opdenakker: That always sounds as cliché but it’s not always easy.
Andra Zaharia: It gets smoother from thereon. I think that people get more collaborative when you try to include them in the process and that is a brilliant observation and something that I really want to support and emphasize because, like you said, it doesn’t have to be black and white. There are solutions. There’s always a chance to improve, as long as we’re here, we’re evolved and we’re committed to making things happen because there are also these discussions online, “Is Internet Security a losing battle? Yes or No.” It shouldn’t be that way because it’s discouraging, or it would be delusional, one way or the other. And none of those options help us with our day-to-day things, with the reality of how things are.
John Opdenakker: Sometimes I plead guilty as well. When you see something is bad, your first reaction is, “Oh, this is really terrible!” Let it sink in for a moment and count to 10 and then react. I mean, sometimes it’s really bad and I plead guilty as well. I try to also go out on Twitter, that’s all good because sometimes it’s really poor security, but after all, it often doesn’t have the impact that you want. It’s better to just say, “Okay, this is what’s going on in your company. There’s a security risk, but you can do it like this or like this.” Normally, it’s not going to be very helpful, but sometimes it helps and you are going to get a reaction, and they fix things. I have also examples from companies that I have reported things more than two years ago and they’re still like that.
Andra Zaharia: But it’s still worth a try.
John Opdenakker: It’s still worth a try, and we can only do what we can do.
Andra Zaharia: Exactly! But by our efforts combined – just like in Captain Planet, if you remember the cartoons when we were kids – by our powers combined, I think that you have this compound effect that can happen. And to wrap things up on an optimistic note, I really believe that the compound effects of people like you and so many other professionals that talk about cybersecurity and contribute to actively improving it in one way or another, I think that they’re going to amount to something that’s valuable and impactful. But we do have to keep at it and follow the process, build the process, trust it, and follow it and learn from it, just like you said. So, thank you so much, John, for everything that you shared with us, for all your insights, for your honesty and for telling it like it is and not sugarcoating things – because I think that this is an important conversation to have, and I hope that we can maybe even do this again sometime.
John Opdenakker: Thanks for having me! It was really a pleasure, and yeah, I look forward to another podcast.