Collaborative security

Openness and collaboration are topics that have been on my mind lately. I have a long background in open source. I still work for an open source company. I remember epic arguments with Microsoft about if open source is better. I guess I did win that one now that I think about it.

But the real reason I’ve been thinking about openness is around security. Generally, security defaults to closed. I remember days when I defaulted to closed for security issues. Everything was kept secret even security issues in open source. I’ve changed my mind quite a bit in recent years. It’s been an evolution I’d say, there wasn’t really a eureka moment where I suddenly saw some great truth. It’s possible I’m wrong, I’m willing to listen to various opinions on this matter. Your feedback is most welcome.

At the time of writing my current thinking is that we are far too closed when we handle security problems. I mean nearly everything a security team does. Incidents, bugs, vulnerabilities, CVEs … everything. Whatever it is, we tend to default to keeping things a secret. It seems pretty obvious why you want to keep a lot of this quiet. Some of it can be very embarrassing and dangerous.

I should also state here that I’m not going to suggest we don’t have any secrets. I think there will always be a need to keep certain information secret. There may even be a need to keep certain information hidden forever. But keeping everything secret all the time isn’t the right way to go, it’s holding us back as an industry.

Imagine we have a bowl of marbles that represents our mental energy. We all have limits to what we can actually accomplish. As much as we all want to imagine we have some level of superhuman intellect, the reality is once our bowl of marbles is empty we’re not doing our best work. Everything we do all day depletes our bowl of marbles. Nobody has an infinite supply of mental energy.

When we deal with issues in secret we deplete our bowl of marbles even faster. Issues that have to be kept secret are incredibly expensive mentally. You have to remember to encrypt that email, and to only use the secret chat. Make sure your machine is attached to the right VPN, which Yubikey do we need to login again? There are tons of steps that have to be followed before you even get to the point of having a conversation about what’s going on. This process will drain our bowl of marbles very quickly.

Another downfall to extreme secrecy is losing out on the multiplying force of a team. It’s quite common for the security team to deal with security problems, not the people who actually developed the solution that has the security event. The security team probably isn’t the best group to deal with the problem. Sure a few people will be pulled in, but why not everyone? Oh right, we have to keep this a secret.

Open source is an easy example here. The power comes from collaboration. Features developed in secret are often not welcomed into a project. If they are there will certainly be changes before the pull request would be approved. The resulting public discussion also allows others to learn something new. Collaboration creates superior results to secrecy.

It’s more common when we look at security to take the secret development approach. We have a small group deal with the issue in private then one day they make sure certain changes happen, sometimes not telling anyone why. This is not only mentally expensive but we’re also ensuring we don’t have the best possible solution because we didn’t collaborate.

I do recognize there are times when an issue is really bad and needs some secrecy. Spectre and Meltdown are examples of significant issues that needed some extra breathing room. Could you imagine the rush job that would have resulted? But even those show signs of missing collaboration. The first patches released had to be updated. Community collaboration fixed the problems, not secrecy.

This is certainly a tricky topic. I know my thoughts are still evolving even as I write this piece. The one thing I am sure about is we need to stop being overly secretive. We should strive for defaulting to open. Let secrecy by the exception not the rule. This will of course require a change in thinking, it goes against a lot of what we call best practices today. If you look at the news, it’s no secret a lot of those practices aren’t best anymore.

Our goal should be to end the week with some marbles. Of course, that won’t always happen, but if at the end of each week your bowl is empty something is very wrong. You don’t need a bigger bowl, you need to change the way you work.