How to think like a security professional

By Tadayoshi Kohno at 2:13 pm on November 22, 2007 | 9 Comments

Why this blog. A computer security course should teach you many things. You should obviously learn the important technical material, including aspects of applied cryptography, programming language security, web security, and so on. We’ll cover many of these technical concepts in the lectures, homeworks, and projects.

But a key goal of my courses is to help you learn more than just the technical material. My goal is to help you cultivate the security mindset and to help you become mature security thinkers. This blog plays a critical role in achieving these goals.

The security mindset. If you’re new to security, you’re probably wondering what I mean by the security mindset. Let me give you a brief example. Suppose you see an advertisement for a brand new product — the Miracle Foo. Is your first reaction:

“Wow, the Miracle Foo is a cool product, I can’t wait to use it?”

Or is your first reaction:

“Wow, the Miracle Foo is neat, but I wonder if someone could subvert the security or privacy of the Miracle Foo by doing Blah?”

If you’re immediate reaction is the latter — and especially if you’ve filled in the blanks for “by doing Blah” — then you probably already have the security mindset, or at least the makings of that mindset. If not, don’t worry! This mindset is not natural for most people. It requires you to think like an adversary — to be constantly thinking about how a malicious party might circumvent the goals of a system or product. This blog will help you develop that mindset. Never again will you see a product advertisement and not wonder what mischievous things an adversary might be able to do.

Why cultivating the security mindset is important. You may someday find yourself working on the design, implementation, or evaluation of new computer software or hardware systems. If you have the security mindset, then you will be better able to identify potential security problems with the systems on which you are working. You may not be able to fix all of the security problems by yourself, but you’ll still know that the problems exist and will be able to get others to help you fix the problems. But if you don’t have the security mindset, you may never realize that your system might have security problems and, therefore, obviously can’t protect against those problems in a principled way.

Furthermore, technologies change very rapidly, which means that some of the technologies and topics that I cover in my courses will inevitably be out-of-date in 10 years. But if I can help you learn how to think about security issues and have an appreciation for adversaries, then you can take that security mindset with you for the rest of your life and apply it to new technologies as they evolve.

Broader perspective and becoming a mature security thinker. There are many other things to gain from this blog as well. As some of you may know, my personal research interacts broadly with policy, law, medicine, ethics, and so on. Given my experiences, I believe that it is critical for you to understand how technologies interact with the “bigger picture” and society at large. This blog will give you an opportunity to reflect on the “big picture” issues surrounding technology and society.

Filed under: Announcements9 Comments »