Build resilient systems at scale
May 27–29, 2015 • Santa Clara, CA
See Pricing & Packages

Q&A with Velocity Keynote Speaker Laura Bell

Picture of Jason Yee
Jason Yee | @gitbisect |

Laura Bell has nearly a decade of information security experience and specializes in bringing security survival skills, practices and culture into organizations of every shape and size, and she will be keynoting at Velocity in Santa Clara. I recently had the opportunity to speak with Laura and learn more about eradicating the human problem, her thoughts on blamelessness, and how we can be more secure.

Can you tell us a bit about yourself?

I'm a former software developer and penetration tester and run a security firm called SafeStack. We specialise in providing security tools, training and consulting to high growth/start-up and agile organisations. My aim is to bring security into every application from idea onwards and prepare all organisations (big and small) so that they can survive in our connected world.

You've talked about "Eradicating the Human Problem," which sounds like a topic our Robot Overlords would discuss. Can you explain what you mean by the "Human Problem?"

It's not as sinister as it sounds! Security is well regarded as a 3 part problem made up of Technology, Process and People. Technology is easy for us to test and configure; and processes are audited and measured. However when it comes to people, we are less mature. Humans are empathetic creatures and we don't like to hurt others or expose their vulnerabilities - as a result we ignore the issue of people. We chalk it up to being 'too hard to solve' or 'too easy to exploit'. I am working on tools to allow us to change this, to make human security something that is engaging, understood and safe to test.

In DevOps, there's a value on "Blamelessness" — the idea that people try to make good decisions and when something goes wrong, we should focus on the systems that enabled or encouraged poor decisions, not on the person who made the decision. In terms of security and the "Human Problem," is this flawed? Are we being too naive in how we view people?

I don't believe we are. There is a real danger in attributing blame. It is easy to view an individuals actions in isolation rather than in relation to the environment they work in and the training and support they receive. I think in fact that security needs to come closer to the DevOps blamelessness for the majority of situations. Often if we focus on the individual, they become a convenient target but may lead us to miss the root cause (and repeat our mistakes).

Obviously we still need to make sure there is accountability, responsibility and repudiation in everything we build to ensure that genuinely malicious individuals and actions are identified. When dealing with incidents or the results of penetration testing however, the default should be to embrace blamelessness and widen our focus.

You recently released a new project called AVA, can you tell us a little more about it?

AVA is an open source first generation human vulnerability scanner. In simple terms AVA allows us to visualise the connectivity of the people in our organisation and test how they react to different types of threat. These threats could be things like malicious email, click-bait tweets or they could be inappropriate requests that would breach privacy mandates. Once we can see our organisations for how they are really built and connected and measure how people respond to common attacks, we can plan and prioritise our defenses. You can find out more about AVA at http://avasecure.com or follow our progress via @avasecure on twitter.

What's the biggest security challenge that developers face?

From my perspective it would be the complexity of the technical stack they are using day to day and finding a way to monitor all of these components for new vulnerabilities. Companies as small as a few people can have hundreds of interconnected items to monitor and manage which can be really challenging. Without this management however, security vulnerabilities remain unpatched and we expose ourselves, our customers and our organisations to risk.

What are some things that developers can do to be more aware of security?

Come out into the security community and say hi! Seriously, the division between security people and developers has been around for years and while we all need peers to share with - this has become dangerous.

Security folk and developers need to learn each others worlds and languages. It's time for us to work closely together side by side.

What are some things that developers can do to help make others in their organizations, especially those who may not be technical, more aware of security?

The key is to make security engaging and relevant. We have all heard the stories of how the hackers are coming and we are all doomed. While it may be partly true, its not a very motivating message. Bring security into everyday life in a way that people can contextualise it. Make it ok to ask questions and challenge things that seem strange or insecure and finally create safe environments to break things.

Security fails when it is isolated and managed only by specialists. We are stronger when we are all involved.

* * *

If you’d like to join Laura at Velocity and gain deeper insight into tools, techniques and workflow strategies to make your organizations and applications safer and more secure, review our packages and register today.

Tags: security, devops, people, keynote

Stay Connected

Follow Velocity on Twitter Facebook Group Google+ LinkedIn Group

2014 Videos

More Videos »

O’Reilly Media

Tech insight, analysis, and research