In many ways, there is often a creative tension between security and functionality or flexibility. We can often improve security by restricting what is possible, but at the same time, high-quality systems and software engineering provides functionality and flexibility, even for unanticipated use-cases. It turns out that the hardest problem on defense is knowing precisely how much security is the right amount everywhere, all at once. If you secure things too much, you can suffocate future growth, but if you don’t secure them enough, you might get pwned.
Like many, I got into cybersecurity because I was obsessed with the puzzles of how to compromise software and systems. While I also did things like build firewalls for companies (don’t judge, I was young and needed the money), what I really loved was exploitation, vulnerability discovery, and penetration testing. What I didn’t love, however, was how monotonous it eventually started to feel for me.
After spending roughly two decades focusing on offensive security, I switched to the other side. What I found was that after thinking like an attacker for so long, I could help prioritize my and others’ work using my understanding of what attack paths would be easy vs. which ones would be hard for attackers. What I also found was that I loved challenging myself and others to discover designs for defensive systems that we knew would be excruciatingly difficult to attack and where leverage can help defenders over attackers.
While I don’t expect that this talk will cause a massive influx of OffensiveCon attendees to rush to join the blue team, I hope to make the case that offensive security knowledge is a super-power for proactive security engineering and defense. Ultimately, offense and defense are two sides of the same chessboard, and getting good at one also helps you get better at the other."
Dino Dai Zovi is a hacker, cybersecurity innovator, entrepreneur, investor, and advisor. Dino is currently the Head of Applied Security Engineering at Block. At Block, Dino leads the engineering teams that own security-critical, complicated subsystems in products across Block. He has previously led security for Cash App and security for Square’s expansion into EMV card payments.
Dino is a cybersecurity innovator and a founder of Linux server attack protection vendor Capsule8 and security research firm Trail of Bits. He has also held early leadership roles at Endgame, Two Sigma Investments, and Matasano Security. He began his cybersecurity career on the IDART Red Team at Sandia National Laboratories and penetration testing with @stake.
Dino is best known in the information security community for winning the first PWN2OWN contest at CanSecWest 2007; both keynoting and presenting his security research at leading conferences such as BlackHat, RSA, and DEFCON; and co-authoring the books “The iOS Hacker’s Handbook,” “The Mac Hacker’s Handbook,” and “The Art of Software Security Testing.” As a long-standing member of the BlackHat community, he had also been on the BlackHat Review Board as well as a founder, organizer, and host of the annual Pwnie Awards."
