How to think like a security professional

By Tadayoshi Kohno at 2:13 pm on November 22, 2007 | 9 Comments

Why this blog. A computer security course should teach you many things. You should obviously learn the important technical material, including aspects of applied cryptography, programming language security, web security, and so on. We’ll cover many of these technical concepts in the lectures, homeworks, and projects.

But a key goal of my courses is to help you learn more than just the technical material. My goal is to help you cultivate the security mindset and to help you become mature security thinkers. This blog plays a critical role in achieving these goals.

The security mindset. If you’re new to security, you’re probably wondering what I mean by the security mindset. Let me give you a brief example. Suppose you see an advertisement for a brand new product — the Miracle Foo. Is your first reaction:

“Wow, the Miracle Foo is a cool product, I can’t wait to use it?”

Or is your first reaction:

“Wow, the Miracle Foo is neat, but I wonder if someone could subvert the security or privacy of the Miracle Foo by doing Blah?”

If you’re immediate reaction is the latter — and especially if you’ve filled in the blanks for “by doing Blah” — then you probably already have the security mindset, or at least the makings of that mindset. If not, don’t worry! This mindset is not natural for most people. It requires you to think like an adversary — to be constantly thinking about how a malicious party might circumvent the goals of a system or product. This blog will help you develop that mindset. Never again will you see a product advertisement and not wonder what mischievous things an adversary might be able to do.

Why cultivating the security mindset is important. You may someday find yourself working on the design, implementation, or evaluation of new computer software or hardware systems. If you have the security mindset, then you will be better able to identify potential security problems with the systems on which you are working. You may not be able to fix all of the security problems by yourself, but you’ll still know that the problems exist and will be able to get others to help you fix the problems. But if you don’t have the security mindset, you may never realize that your system might have security problems and, therefore, obviously can’t protect against those problems in a principled way.

Furthermore, technologies change very rapidly, which means that some of the technologies and topics that I cover in my courses will inevitably be out-of-date in 10 years. But if I can help you learn how to think about security issues and have an appreciation for adversaries, then you can take that security mindset with you for the rest of your life and apply it to new technologies as they evolve.

Broader perspective and becoming a mature security thinker. There are many other things to gain from this blog as well. As some of you may know, my personal research interacts broadly with policy, law, medicine, ethics, and so on. Given my experiences, I believe that it is critical for you to understand how technologies interact with the “bigger picture” and society at large. This blog will give you an opportunity to reflect on the “big picture” issues surrounding technology and society.

Filed under: Announcements9 Comments »


  • 1
    Get your own gravatar for comments by visiting

    Comment by mark pringle

    March 20, 2008 @ 12:28 am

    The increased need for security in the present era is concomitant with the emerging need for greater protective stability in a gross national product driven postmodern economy-of-scale corporate economy.

    The challenge is to maintain optimal individual freedom while obtaining maximal security; hence a degree of compartmentalization is required in the intelligence effort in order to avoid the acceptance of regimes condoning the direct use of force in lieu of a more circumspect approach to management of untoward and potentially conflagrative circumstances.

    As a result, the capacity required for such cognitively based approaches to security, are necessarily fraught the same dangers one would anticipate resulting from failure to insulate adequately dangerous matters of intelligence from the opposition (real or envisioned). It is certainly to be expected that the evolution of security measures and training in the present age of non-nation-state encapsulated conflict should lead to innovative research surrounding the cognitive aspect of predictive security; however the adoptation of a particular mode of education as a new modern political institution (Machiavelli’s ‘intitutions’ being the basis of the modern state) is merely the initial step (for it is not fully adequate in itself) toward understanding the modern security problem in toto.

    The problem itself is of course as anceint as politics; however, the process of civilization has been able to accommodate quickly enough at each new turn without resorting to a completely militaristically polarized form of governance; and the hope to retain this grace for the modern era is presently challenged as it never was before by the recent emergence of a third modern cofactor to the pre-existing cofactors inherited from the cold war era (weapons of mass destruction & the WOMD-driven geometric proliferation of competitive intelligence efforts): the establishment of a global hegemony, i.e. Mr. Fukuyama’s “End of History.”

    The realization of this latter factor, while being both beneficial and relatively benign, does not make immediately make manifest the consequent change in the framing of poltical militaristic conflict in the present era, nor does it make manifest the implications of said change; what is consequent is the shift from more predictable localized conflict to non-localized conflict, driven by decentralized intelligence sources, fueled by increasingly more dangerous weapons of mass destruction, and pregnant with the absolute necessity of urgency of the latter.

    The consequences are far-reaching indeed. Moreso than might initially be imagined; however there is hope in the institutionalization of such congnitive methods. For while intellect may spring up naturally in the wild, its allegiance may be to some degree naturally suspect, for which reason it is more cautious to implement such measures.

    I can only hope that the casualties amongst those whose creative facutlies were unpredicted, unexpected, and undesired will be few. Rare gems cannot be manufactured; neither can human beings. Where would Einstein and the other great minds that have contributed so much to society have gone had we not been there?

    May Liberty never drop that torch, gentlemen.

  • 2
    Get your own gravatar for comments by visiting

    Comment by kevvie

    March 21, 2008 @ 2:32 am

    In light of what this blog and website is all about, and given that I just stumbled onto this site from Slashdot, I realized that this blog could potentially be a stockpile of information on security vulnerabilities and potential ways around security for various things, from general to very specific (a few entries I saw were about specific buildings on campus).

  • 3
    Get your own gravatar for comments by visiting

    Comment by Rudy Vise

    March 21, 2008 @ 1:03 pm

    Not my url above, but you can see where i’m going with the idea that you can emulate a computer hacker or security professionals thinking.


  • 4
    Get your own gravatar for comments by visiting

    Comment by Martin

    September 25, 2008 @ 12:08 am

    Honestly, propagating the view that a security mindset should be an integral part of eg engineering is absurd. Not only absurd but clearly counterproductive if we wish to have a more real security, ie absence of threat.

    Trust is the most economical way of interaction. If, as you seem to propose, we replace trust with a security mindset our lifes will be solitary, poor, nasty, brutish and short.

  • 5
    Get your own gravatar for comments by visiting

    Comment by Tanner Christensen

    October 28, 2008 @ 9:00 am

    It’s always a good idea to view a project from a security perspective. But how great would it be to emulate both a security and viewer’s perspective?

    Great blog, wish you’d update a little more often. 😉

  • 6
    Get your own gravatar for comments by visiting

    Comment by Timmy

    November 25, 2008 @ 3:20 pm

    Great site. I will bookmark for my sons to view as well!!!h

  • 7
    Get your own gravatar for comments by visiting

    Comment by John@Carhireuk

    November 26, 2008 @ 4:05 am

    I too just stumbled on this website whilst searching for something else. It has opened my eyes to viewing website more from a security perspective.

  • 8
    Get your own gravatar for comments by visiting

    Comment by PDFoxy

    December 2, 2008 @ 8:10 am

    “My goal is to help you cultivate the security mindset and to help you become mature security thinkers” – very noble.. good luck sir.

  • 9
    Get your own gravatar for comments by visiting

    Pingback by UW Computer Security Research and Course Blog » What to contribute (Winter 2009 CSE 484 / CSE M 584)

    January 4, 2009 @ 4:58 pm

    […] undergraduate and 5-th year Masters computer security course.  Please familiarize yourself with this post from last year; it explains why we have this blog.  In short, the blog is designed to be a vehicle […]

RSS feed for comments on this post