 Hello, good morning or good afternoon. How are you doing? So, sorry, I'm a bit sick. I'm running a course. Hopefully, I will be able to talk until the end. So, hi, I'm Christian. I'm now going to talk to you and explain to you my personal private views how to start as a security engineer. So, the talk started actually last year at DEF CON India. That's the traditional opening. They got that stuff from the fireworks last year. I've given a keynote about security and community and responsibilities and people asked me actually how to start as a security engineer. So, agenda and goals, what you're going to learn here. And if you start with this climber, this is a very opinionated and subjective talk. It's just my personal ideas, which maybe you find it useful or not. It's also incomplete, probably biased, because I'm more of a back-end engineer and it's not that serious. It's a bit of an entertainment too. So, I hope to entertain you a bit. So, chapter one is going to be thinking and chapter two is going to be learning. So, how to think as a security engineer and how to, what I think is useful to learn. And one thing is to learn is that security engineering are not always the people that are liked by most because it's one of the feedback I got DEF CON India Well, either we break stuff or we break stuff. Whatever. So, and a quick recap from a presentation I gave last year as DEF CON's, what should we care about security? Just very very quick. So, it's for one about money. You can lose a lot of money if you don't care about security. Or you can actually kill people if you have like that one. And replacing a pacemaker is not an easy thing if the cut people open to fix a security bug and nobody wants to get cut open. So, let's start with some statements and propositions just to get you feedback from the audience. You think about that? So, security is actually a feature or something you can sell your customers to. And as an attacker you only need just one vulnerability, but as a defender somewhere like us writing software we must be always perfect, always. And finally, most users just don't care that much about security and just often they just install like Malgo on their own computer to use stupid passwords and it's mostly users to blame. So, what do you think? Feedback. So, we think that's a valid proposition, valid statement or we think that's Ends up? We think it's good? Okay, just a few hands. Well, okay, I think I spoiled it a bit, but I think I think that's actually I used to think like that blame the users. We are the engineers. We are perfect and users are now Please close the door Thank you I think it's very dangerous. Patti also arrogant to think like that and I'll explain you later why. Because we engineers, we software developers actually do stuff for users. So, if you know the old movie Tron, we fight for the users. We don't fight like for ourselves. We want to build something to sell to people to be useful, especially as open source engineers. So, chapter zero actually attitude. So, how you should actually think about security and the first thing is security is not a feature, not like by itself because Would you buy a car that's like advertised like that? You would just assume that a car just doesn't explode by itself and nobody would actually advertise cars to, yeah. So, and civil engineers, automobile engineers, they all run that the hard way. There were multiple accidents in the past. Let's see Bridges in Scotland 150 years, 200 years ago. Let me see my speaker's lights, a secret note. Again So, they learned the hard way that you should not build bridges in a way that they just collapse and The aeronautics Industry also does lots of testing. So, that picture I had last year how they actually engineer and test Airplanes, so that's a wing up test. You see that's the tip of the wings So they do very thorough testing because if you have an airplane, there's no safe mode as soon as it's in the air So, you have to get that thing down in one piece somehow and if that fails, well Yeah, it comes down, but you want to have one piece and yeah It's also security also not digital. Yeah, I was looking for a word that explained black or white without using word black And white. Let's see only what I could find. So it means it's not just either totally secure totally insecure There are multiple shades between that Alex Gaynor wrote a very good blog post about that the worst-reason information security that you must be perfect always in most cases, it's not that it can have like Slightly insecure software with you do it the right way and How do they like to exploding cars? Hmm. Yeah, so maybe you you need Sometimes a car that does not explore you should have that maybe in other cases You want to have like a cheap car that runs on standard like roads and that's something you have to figure out Who's your advert? adversary, your enemy who tries to attack you and how much can you actually lapse and Also, there's no thing as unbreakable encryption or absolute security If somebody asked me a I worked something on breakable How about like a Kardashev level 3 alien civilization that can harness the energy of the whole universe To power a supercomputer. Can they break your encryption? Well, if you can prove that even alien civilization could not do that. Maybe then you're unbreakable, but maybe not Yeah So you have to think about Threat modeling you have to wait cost and benefits and you have to actually document what could go wrong One point that people are always I think good example that is a fingerprint sensor on your mobile phone For most people it's actually beneficial to use a fingerprint sensor because It's very easy to unlock and unlock your phone Except if you have like state sponsors Attackers that want to steal like your data if you're like a journalist, then it's maybe not the best way But for most people although it can be broken more or less easily yeah, or cost benefits Some it's fun to think about like quantum computer TLS ciphers But in most cases it's actually don't use vegetable names. Yeah, go for the low-hanging fruits So people in the past have that so you want to have like defense in depth Or like aircraft do that also they are like multiple so that's a Wing from the airplane just they have multiple ways to actually control the thing That's not going to into because already that's like one-half minutes into the beginning to explain that but Even if both engines the so the power generator and the batteries fails and that control the flaps and Spoilers and whatever they have on the wings. There's still one more backup mechanism for airplanes And that's a figure that out of a bit more safe to fly They can do something like that. They can just That's a rat that's a ram atobine. So even if everything fails They can still power the whole engine the the whole hydraulic and control the plane. So If you develop software like that, even if everything goes wrong, you have like a backup pretty good and That makes the our industry a very safe place I still have the site from 2017 because 2018 was not that good and also in 2017 We had like that one Where Amazon brought one engineer brought a large part of the internet down and We didn't have any bad large outtakes this year's first and last year's first and no and so last month please mind the user and If you're from London, you may know that one so please Take care of the users because if you still think that users are to blame for our security incidents. It's the wrong way this Take care and think and there are lots of way humans can do stupid things. That's a again repeat from last year Social engineering is a big issue Well, like you have Attacks that try to do like it's called spearfishing we get information of the CEO and trick other people to send you money Other people like to give away chocolate and get passwords Etc. Etc. Etc. And so you have to ask yourself Not what users can do for security what what security engineers can do for users to make users more safe and Especially people like that your grandmother So what's your first reaction you see that? anybody Yeah, okay. Yeah, if it failed you shouldn't probably scream at your grandmother But just ask yourself. Why did you rent another install flesh? Maybe she wanted to watch an old Video recording she made like years ago with a old phone The only way to achieve view the video calling is use a baby is installing flesh. So ask why and Right to that user interfaces There's been two accidents Incidents the last two and a half years left is Hawaii Well, somebody Making mistake and didn't understand the user interface the other one a couple of months ago Very unfortunate where there was an incident where an airplane crash because user interface did not tell the pilot something the park could understand in an immersion situation and Basically the airplane tries to to save itself by driving the step down in the sea and people just died We all know crew everybody on board by user interface problem and The L industry has another way to model that kind of security or like a lot because they are usually safe It's called the Swiss cheese model where you have multiple layers that protect each other and only when all this Holds the small gaps in your design come together. So human error technical error design errors Then it's failed so No, next one. How do you think as a security engineer? Oh, I'm awesome time One sentence that I picked out many years ago from a book by Bruce nice to be professional paranoid and paranoid in quotes because paranoia is actually a serious mental illness not something you should make fun of But I think most people think of security engineers that they Emphasize too much on security less on usability and sometimes blow out security backs out of proportion and just to remember keep professional keep your own bits of paranoia and You have to find a balance and another thing I personally do a lot is just to go on be creative think of like the funny crazy ideas, but the other thing is Often security backs repeat themselves. They've been like blighting but high tech for us 20 years Take on RSA. I'm not sure if you cover that because I missed your talk Often if you see like a security back home in for language, so I'm on the Python security team and They have been places in cases where we have bugs in Ruby and PHP and we're the same in Python because we made the same mistakes and sufferers often are even profitable like in this layers and these Abstraction layers are leaky especially if you consider security and they might even less look like this stone, but more like Jenga tower always falling over and they leak through Very good example for that. I like is the way you can actually exploit Behavior of electrons in the computer from JavaScript in your browser and do a Rohammer attack And that goes through so many layers of indirection abstraction. It's just mind-boggling RSA attacks can even crack them with a microphone. They have been funny attacks using acoustics I have that slide for a couple of years now. So all of that is funny a new one I found just going the other way if you're looking to security want to what make you like your data center secure is against like intrude ears and That's not a typo Today to go on Twitter are just too funny to not add that so It doesn't help if you make the software you serve a secure You also want to make access to your infrastructure secure So and there's so many levels and animals are fun. That's also something I'd rather bring up Terrorism actually most dangerous moment as squirrels This is the list a website that lists power outages of data centers and big cities by animals with maps and links to news reports and And Finally another slide I'd like to bring off this It's also if you use a security engineer or engineer in general about ethics and compliance and just be nice And don't be an idiot so We have a responsibility to keep people safe I Posting what this company who solved that as a t-shirt, but last sentence boss Should I love you and the girl replied me? Yeah, I love you, too. I think that's the better version of that So What should you learn? You how to think actually admit to yourself it that you actually don't nothing so there's these so-called socratic paradox I know that I know nothing and Must be a word that computer science Security programming it's so complex. It's visually impossible to even understand one area very well You can have like be especially been very narrow error or know like a bigger area a bit better But actually knowing all of it is impossible. So Be aware of that So that why you need communication think it's the most important skill both in the sense of talking to your team members talking to users and astounding users also to gather information and Finally It's by Google's security princess Theresa tablets Stop reading start doing so you can read a lot of security But you actually must get your hands dirty and get practical But if you want to start by reading and actually recommend that I really like that book was one of my first security books and You can get that now for free It's a bit dated but still very good Explains like different kind of security modeled by I think household military base in a hospital Like a practical ideas and practically case studies Okay, let's get down to a bit more concrete things Running through that. So I also will upload the slides. So you don't need to write down all the links names I will pop up next couple of minutes. I guess throwing the slides in your face and hopefully I also slides up in an hour or so. So one of the Important things is do you need soft skills? Like as a hero engineer, but general as an engineer You want to work in a team? You want to work in a team that's diverse both in a social Consideration but also technical expertise. You need people who know like how hardware works You need people who knows to crypto works other, you know, how like browsers work because I don't know like front-end development I've almost no clue about that But we have a lot of people on our team that know front-end things and if I talk to them and change exchange ideas They may come in my dear and yeah It's also very important to know how to find information It's less about like knowing all the things these days You can just use duck-tock go Google or whatever to find information But understanding concepts and then be able to find information about that Concept and ever get which information is actually good, which is maybe bad information. Yeah Other things that have your legal affairs if you deal with security that often compliance rules If you find security backs, you may actually get in trouble reporting then depending which country you are or which company you find a security bug Rhetorics is good how to convince people that they may have a problem and Yeah, and reading and writing documentation. I think lots of engineers consider like dog writers as Like second-class whatever people what think writing clear documentation That's easy to be understandable by the target audience either for other engineers or for end users or for managers for decision-makers politicians That's not that easy We need them so Last chapter like in social human interaction is One book or two books and one website is related to a book that I like regarding social engineering. That's the secret agent stuff So how to trick people and give me information or excess so that's one of the books I read By the way, the books I'm showing here are books that I own and have more or less read and I like them There are tons of other good books. These are one I actually enjoyed Obstructing security Stuff you should know first of all self-defense. So It's it helps to eat your own dog food understand how to protect yourself to then explain users how to they can protect themselves And also to learn how to make it easier for users to protect them that and freedom of the press Has a very good training material for journalists even in countries that are less friendly yeah, and Edmund things if you work in unix environment There's one good book. I have at the second edition of the third one is even more up-to-date or man pages So if you do like back-end development, you want to know how your operating system actually works in this design That one helps other than that any engineers does something with internet should actually know how like IP for 4 IP for 6 works How like firewalls work DNS is very important Red Haters should know as a linux a bit and there are tons of very good tools I sometimes use and it are recommended like wire sharks analyzing network traffic and map metasploit or December if you're going a bit deeper So up there For big projects a the open web application security project CB CWC in CVE and the ITF request for comments these are standard documentations and good listing of security bugs and Recommend to if you work in any kind of development to keep track of that especially the for web developers the OW ASP is very helpful listing like comments and vulnerabilities and You should be familiar with these kinds of attacks as a front-end and web developer and back-end developer or really fun funny still these days XML attacks are Dominant they're still in the top 10 of bugs applications, but also Unicode. They are fun things They are like characters or looked at other characters or if you have white characters and do Quoting normalization the wrong order you can actually have like a persistent XSS. Just learned that all the other day programming languages To understand security you probably like very low-level things to write these days new program New software probably use the the right side because their memory safe Cryptography three books The left one I was my first script a book actually bought over as a kid That's more like a popular science easy reading book from some things playing crypto from like ancient Egyptian to post quantum computer of these More like a history book a very fascinating The book in the middle is a bit dated but still good But I would not use the book to design a new protocol but to understand like thinking and the right one is a rather modern Crypto book by JP Amazon Also, if you know a bit math and bit crypto it's good to read other resources There's the crypto or crypt of the one then boom course you can still sign up They just open up the signing process three days ago four days ago I like that Crypto pulse challenge and the last books also for free But that's actually super complex if you want to know in the math behind my letters. I don't understand that but well For TLS SSL certificates, that's the standard book these days for long time We didn't have a standard book the CAB forum link That's the standard used by all modern browsers and CAs that are public For pattern of indications if you still think you should have one upper one lower one number Read that guide. That's from this and you will no longer think it's a good idea to f a fido or a web often what was coming up now open my D connect for protocol that use like Social network logins are good and sorry hands have a been pwned. That's a it's a very useful side That list like you can even check your account if you got exploited by an attacker Some misc stuff. So just some blog posts deals weekly news at security news about Linux try hand again Perhaps on security Bruce Nair and there's a also a monthly newsletter by a Hannover But you last things if you'd like to watch videos. I recommend videos from these four conferences There are from politics to easy to mind-boggling complex things For case computer cook they usually have names like 35 C3 so that makes it easier to find them on YouTube and Here's a bunch of names from people. I follow on Twitter or read the blog posts. They work for different companies and just fun following them a month of time and summary keep learning the experience and if you have more like links names or suggestions, please contact me and Yeah, and get your hands early and don't use your own crypto in production That's for you see move