TEN SECURITY DESIGN PRINCIPLES (SDP)

Kip Boyle:
Hi everybody. Welcome. This is Your Cyber Path. This is the podcast that focuses on helping you as a cybersecurity job hunter get the job of your dreams. And I’m Kip Boyle. I’m here with Jason Dion, and we’re happy that you joined us today. Before we get into the topic, I’ve been dying to ask Jason a question about this artificial intelligence tool that was released a little while ago called ChatGPT. And I know that I’ve been playing with it, he’s been playing with it. And one of the things I’ve been asking myself is how are tools like this going to help the folks who listen to Your Cyber Path? And so Jason, I’m going to let you go first, welcome to the show, but what do you think? How’s this going to help people?

Jason Dion:
Yeah, honestly, I love ChatGPT and the whole idea of this generative AI where the AI can create new things. And that’s really, it started out with the DALL-E with the image creation and then they move to ChatGPT, which is basically a general knowledge database. And I find it to be really, really useful, especially when you’re doing things that are tied to certifications, tied to things you’d use on a daily basis. Being able to write things and create a first draft of reports or any explanations you may need to come up with, it does a really good job of all of those type of things. So personally, I’m using ChatGPT a lot as I am outlining courses, as I’m writing scripts, as I’m creating exam questions, all sorts of stuff like that, I’m able to use ChatGPT for. And one of the things I’ve heard a lot of people say is, oh no, ChatGPT’s going to take my job. What do you think about that? Kip? Do you think this AI’s going to replace us?

Kip Boyle:
Possibly in the far-flung future, I don’t know. That’s a little murky, but I’ll tell you what I think the situation is for the next, let’s say three years. Okay. Because it’s hard to look past that. I think of ChatGPT as like VisiCalc. Okay. So way back in the midst of time when personal computers first started showing up in the 1980s, one of the killer apps was this spreadsheet program called VisiCalc, and it took spreadsheet off of paper and whiteboards, which is where people used to do all that work and put it into a computer and automated it. And what happened was is that if you were an accountant or an engineer or somebody who was doing a lot of finance work, anybody using a spreadsheet had to learn how to do it in a computer and they had to stop doing it on giant ledgers and wall sized charts. They had to completely change the way they worked because if they didn’t, they were going to be left behind as other people automated.

And the people using computers to do spreadsheets were going to get results faster. They were going to be able to generate more scenarios than people using manual tools. And so it just accelerated and increased productivity of the people who embraced it. And I think that’s what the opportunity for ChatGPT is, is for us to embrace it as a killer app that’s going to help us accelerate our own personal productivity and also the quality of the work that we can do in the same time. If I had an hour last year to write a script for a podcast, if I can use ChatGPT now I can create just as good of a podcast episode in a fraction of the time, or I can take the rest of that time and I can invest it on making the script even better than I could have with working on my own with only an hour. So that’s how I’m thinking of it. But does that pencil with you?

Jason Dion:
Yeah. I think that’s a really good way to look at it. And when we look at different technologies that come out, there’s always this question on whether or not it’s a transition technology or transformational technology. And what I mean by that is there are some things that are a transitional technology. For instance, when we used to sign for our mortgages, you had this big thick packet of papers when you go and buy a house and you sign everything and you sit there with a pen and inking and you sign it all. Well, a lot of that-

Kip Boyle:
And you used to have to go to a physical place.

Jason Dion:
And you go to a physical place. And nowadays, you can do all of that online with things like DocuSign or Eversign or any of those type of things. But that wasn’t really a transformation as much as it was a transition. You took this paper thing and now it’s this digital paper and you sign it by clicking instead of signing it with your hand.

Kip Boyle:
Yeah.

Jason Dion:
That’s just moving it from one medium to another. Same thing if you look at tax preparation, when I was younger and I had my first job as a bag boy working for Whole Foods, I got a W2 at the end of the year and I got this 1040 easy form, which was a one page form, and you filled out the little boxes and you did the addition with a calculator and you mailed that into the IRS with your check or to get your refund back.

Well, TurboTax came along and it was a transition technology. You’re still filling out those forms, but then they started evolving over time where it would became this yes or no. And you started moving through and it changed the process so that anybody can do their taxes, because I can tell you the first version of TurboTax and the old QuickBooks and things like that, it really was just what does the paper look like now? It’s a digital form, fill out the blocks. Then it got to this questionnaire style thing where it was a different way. So anybody-

Kip Boyle:
Kind of a wizard.

Jason Dion:
And that’s where we start getting these transformations that happened. So Netflix is no longer just a movie rental company, it’s a movie production company and the way they do streaming instead of DVDs and all that has changed from the way they originally started out. And that was a transformation over time. And I see a lot of these AI and ML technologies, they started out being very transitional where it was, how do I replicate what you’re already doing in a faster, easier way to now becoming more transformational where they are creating new processes and new ways of doing things. And I think ChatGPT is on the very starting of that transformation part, but the next version when they get to GPT-4 and GPT-5 and GPT-6, it’s going to be even better, even faster, even more accurate and things like that. So the tool is going to get better.

Kip Boyle:
I think that’s reasonable. Yeah, I think that’s reasonable. And I think my advice for anybody right now is get in there and start playing with it. Don’t be left behind because I think the pace of change is going to be pretty rapid and it’s going to be, not impossible, but tough. Think about if you know avoided computers for the first 10 years and then all of a sudden you’re like, fine, I’ll learn how to use windows. Oh my gosh, what a lift.

Jason Dion:
Yeah.

Kip Boyle:
It’s much better for you to go along. But as far as job hunting goes, real quick and then we’ll talk about the actual topic of the episode today. As far as job hunters are concerned, would you tell somebody looking for a cybersecurity job to let ChatGPT write their resume right now?

Jason Dion:
I would let it do my first draft, but I don’t know if I would just take what they give me and then, it’s a minute, because ChatGPT is dated in its knowledge. So I equate this to somebody who learned everything there was to learn up until 2021 and then never opened the news, never read another book. And that’s essentially what ChatGPT did. It was trained on all this data up through I think mid 2021, and that’s what GPT-3 is based on. So the way that resumes were written two years ago may not be the way you want to write them today. The wording that we used two years ago may not be the wording used today. I think back to when I got my first degree in cybersecurity, we didn’t call it cybersecurity, we called it information assurance.

And so my degree is actually a master’s of science in IT with a specialization information assurance. Today we would call that a master’s of science in cybersecurity, but back then we didn’t. And so these terms do change over time. And if you’re using an outdated term because you’re using an outdated data set like ChatGPT, then that can become an issue, or if you ask it, Hey, I’m on the job, I’m trying to set up, I don’t know, a EC2 Instance in Amazon Cloud, you can ask it, it’ll give you step by step directions on how I do it, but those are directions that match up with the 2021 interface. And in 2023 it looks a little different and things moved a little bit differently. So there’s things like that where it becomes a little outdated. So you can’t a hundred percent trust it, you’ve got to verify it. You still need to know what you’re doing.

Kip Boyle:
Yeah. Yeah.

Jason Dion:
I think that’s why we’re not worried about it taking our jobs and instead it’s a helpful tool that can help us do our jobs faster.

Kip Boyle:
Yeah, I absolutely agree with you that any output you get from ChatGPT short of telling it to write you a fictional story where facts don’t really matter. Anytime you’re dealing with facts and ChatGPT, you must scrutinize the results because it’s just not there yet. You cannot trust it completely with something as important as your economic future. But I’ll tell you what I think ChatGPT can do right now, that would be really helpful. I think you could take a job posting, and today you always want to know, well, what’s the most important thing about this job? And you want to know what’s the frequency count for the words that are used most often. And you might put that into a word cloud, but I think you can feed that job description into ChatGPT and ask it what’s the highest frequency words and have ChatGPT tell you, or have ChatGPT say, tell it, summarize this job in a hundred words, and then you’ll let that steer you to the essence of the job.

So I just think of it as something that can automate the analysis that I’m already doing. And so I think it’s pretty reliable for that.

Jason Dion:
Yeah. Another thing that I see it being really good for is being able to summarize large amounts of data. So if I say, Hey, here’s 1500 word article, rewrite this into 300 words, and now I’ve cut it down what I need to read by one fifth, so it’s only 20% the size, ChatGPT does a great job of that. Conversely, I’ve given it the other way where I say, Hey, I’m currently writing a new course for Cloud Essentials, and that is something that is a very basic certification. So ChatGPT knows all the information for that type of a certification. And so I can say if I go and pull out the official textbook, and in the textbook there was a section on DevOps, how long should DevOps be in Cloud Essentials? Well, there’s a lot of objectives that cover it, so you should think it, it should be a pretty hefty section. In the official CompTIA book, it is literally five sentences, it’s one paragraph.

So when I was going to do my course, I’m like, that’s not enough. So I put it in the ChatGP and said, consider the following paragraph. Now give me an outline and a basic script for 1500 words on this topic. And so it was able to expand that and give me examples and things like that. Now was that exactly what I filmed? No, but that was the 80% rough draft, and then I could spend some time doing it. So it used to take me an hour to write a script. I can now write a script in 10 or 15 minutes because they gave me version one to start with. And in the past, I’ve used humans to do that, and now I don’t necessarily need a human to do it. I have this ChatGPT system that could do it. And so that’s when you start talking about where-

Kip Boyle:
You really are eliminating jobs, aren’t you, Jason?

Jason Dion:
Well, no. In our case, it wasn’t eliminating jobs. We were able to free up the time of those people to do other tasks that we needed that are higher level thoughts. And so it’s allowed us to reuse people in higher level work the same way that we used to do with automations too. There’s a lot of things that we used to have people clicking buttons and copying and pasting data from website into a spreadsheet. We now have automations that can scrape websites and put it all in there for us. And so that eliminated those jobs, but that freed up those people to do better tasks where they’re making more money and making the company more money and all that kind of good stuff.

Kip Boyle:
More value. I love that.

Jason Dion:
So I see there’s higher value add there. The last thing I would say with ChatGPT before we move into our topic of the day is that when you’re using ChatGPT, a lot of people are using it and they think it’s like Google. This is not what ChatGPT is used for. You don’t want to go in there and say, what is-

Kip Boyle:
The definition of.

Jason Dion:
… Infrastructure as a service?

Kip Boyle:
Yeah.

Jason Dion:
You can go to Google for that. That’s not what ChatGPT is for. Instead, you can talk to it just like you would a coworker. So when I want to get the best results, I actually tell it exactly what I’m looking for. So if I was going to ask Kip to write me a script, I would tell him, Kip, I want you to write me a script. It needs to be between a thousand words and 1500 words. It must cover this topic, and I want you to include these five terms that are really important. And then you can generate me a basic rough draft. But if I just say, write me 1500 words on cloud security, it can be all over the place with what you’re going to get. Instead, I want to be very specific. I give it, if I can take the time to write two or three sentences and give it a good idea of what I want, it’ll give me back very good results. But if you just say, write 1500 words on cloud security, it’ll be all over the map.

Kip Boyle:
Yeah, no, that’s called prompt engineering, by the way.

Jason Dion:
Yeah.

Kip Boyle:
That’s the little turn of phrase. And I think that your ability to get ChatGPT to do what you need it to do will turn mostly on how you prompt it. And on that note, I’m just going to say that we are going to do a future episode just on ChatGPT. I have a guest in mind, Jason, that I haven’t had a chance to talk with you about yet. But this is a guy who published recently a Udemy course on prompt engineering for ChatGP tech. Took his course, my mind is blown, and I think we should have him come on a future episode and talk all about how to do this, and I think it’s going to be fantastic. But today what we want to talk about is something called security design principles, and this is actually the beginning of a series of 10 episodes that we want to do. This is just today, we’re just going to introduce the topic, and we’re not going to do 10 episodes in a row because that would, yeah, that’s all you’d listen to for weeks and weeks and weeks.

Jason Dion:
The next five months. Yeah.

Kip Boyle:
Yeah, that’s just too much. So what we’re going to do is we’re going to cover these 10 security design principles, but we’re going to have other episodes that will interleave into these 10 every now and then. But when we’re done, we’re going to have 10 episodes that we think are going to be super helpful for people listening today and people who tune in for the first time in the future because you want to talk about something that ChatGPT already knows about, it knows about security design principles. And why? Because this idea that we have principles that we should design secure systems to goes all the way back to what year, Jason?

Jason Dion:
Oh, 1975, I think it was. Yeah.

Kip Boyle:
1975. Can you believe that? It’s really-

Jason Dion:
Older than me, Kip.

Kip Boyle:
… It’s shocking that I can trust you to handle something as ancient and useful. This is, in the accounting profession, this would be going back to clay tablets and Sanskrit doing some basic inventory management, because that’s where accounting came from, going all the way back. And for us, we only have to go back to 1975. So it’s just absolutely crazy. But this is the origin of our work. So let’s just, again, introduce the topic. And so Jason, I don’t know, tell me, are there any certifications that you teach that mention security design principles at all? Does it come up?

Jason Dion:
Yeah. So it used to be covered in things like CASP and CISSP and Security+. In the newer versions, they don’t talk about them specifically like here are the 10. But as we talk through these 10, over the next 10 episodes that you guys are going to hear, you’re going to see that these are things that we do cover in the certifications, but we don’t cover them as, here’s a list of 10, but they are, everything you learn in Security+, everything you learn in CISSP, everything you learn in Certified in Cyber, it all really comes back to these 10 security design principles. And one of the biggest concepts you’ll hear a lot that people use is the term defense in depth, which used to be the big thing we always focused on. So I guess we probably should talk about defense in depth and how that applies with these security design principles and what it is and why we always talk about defense in depth.

Kip Boyle:
Yeah. Thank you. That that’s a great place for us to start. And I agree with you, this little turn of phrase, defense in depth, is very, very widely heard and widely spoken. Everybody has heard about it. But what I want to focus on is, okay, well what exactly is that? Is it a guideline? Is it something you can do or not do? Is it optional or is it a rule where it becomes more serious? Could we even go so far as to say that it’s some sort of a law? Like, hey, if you’ve got an internet facing solution and you don’t do defense in depth, you’re basically committing malpractice as a security professional. So where does this elevate to in seriousness? And again, we’re calling it a security design principle, and in fact, there are many security design principles, and they’re not laws. I wouldn’t say that they rise to the level of if you don’t do them, then you’re committing malpractice.

However, I would say that to the extent that you don’t follow an applicable design principle like defense in depth, then I think you are opening yourself up to being exploited. If you’ve got some kind of an internet facing system and you don’t do defense in depth, because let’s say you don’t have enough budget, you haven’t been given enough money, and so you can do one defense, you can’t do two. So what are you going to do? And you have to make a compromise. And I think anytime you compromise on an applicable design principle, I think you’re asking for trouble. And so that is where I would put the level of seriousness of this, where it’s like, these are really, really strong, what do they call those on the sides of the roads?

Jason Dion:
Oh, guideposts.

Kip Boyle:
Yeah. Well-

Jason Dion:
Mile markers.

Kip Boyle:
… Barriers.

Jason Dion:
Yeah.

Kip Boyle:
Barriers-

Jason Dion:
Oh, yeah, barriers. Yes, yes, yes.

Kip Boyle:
You know what I’m saying? They’re really important barriers. And can you drive on the twisty road a thousand feet above the cliff without those guardrails? Yeah, but you better not go very fast.

Jason Dion:
Yep.

Kip Boyle:
Guardrails, maybe you can go a little bit faster. And so I think of them as really, really important guardrails for the safety of your systems and for your data. And if you don’t follow one that’s applicable, you better have a good reason. And you better tell the system owners and the data owners, Hey, we’ve got an extra risk here because I couldn’t afford to do defense in depth. If you’d given me more budget, I would’ve. So anyway, that’s how I think about security design principles. What’s your take on it?

Jason Dion:
Yeah. So for me, when I think about defense in depth and the security design principles, I think about them as best practices. So these are things that you really should do. Like you said, they’re not necessarily a law or regulation. No one’s going to slap the handcuffs on you and take you to jail because you didn’t implement a firewall. So it’s not that kind of a law, but it is something that good organizations are going to do these things. And if you want security, you need to have these things in place. And that’s where this comes into. And we talk about defense in depth, we’re talking about layering your defenses. So if I have a laptop, that laptop needs to have antivirus and antimalware, it needs to have a software based firewall on the system, but when I connect it to my network, my network should also have a router with ACLs, and it should have a firewall and attrition detection system and attrition prevention system and all those things that layer on top.

And the whole idea is you’ve probably all seen this picture of Swiss cheese. If I take a block of Swiss cheese and I cut it up and there’s a bunch of different slices of cheese and I put four or five together, will I be able to see through that? Well, it depends on how those Swiss cheese line up. And if all the holes line up, the bad guy can get in. And that’s what we’re trying to prevent. So by doing defense in depth, maybe they get past the firewall, but they can’t get past the IDS, or maybe they get past the IDS, but they can’t get past the antimalware solution. All these things add additional things. And in the old days, we had that really strong perimeter and really gushy inside of our networks these days because of deperimeterization, everybody has devices all over the place. We have to have a lot more defense in depth on each individual asset as well as the network as a whole. And so that’s why I say these are best best practices.

Kip Boyle:
Yeah.

Jason Dion:
The only side caveat I’d have to that we say, is it a law necessarily? Is that, well, it’s not a law. You can still be legally held liable for not applying these best practices. And this actually goes back to an old court case. You want to talk about old things. We’re talking 1975 principles here. When I’m talking court case, I’m talking about 1930s court case. And it’s a court case when radio first came out and there was a boat that had a million dollars worth of cargo going down the Mississippi River, they didn’t have a radio on board. Storm came out of nowhere, hit them, they went [inaudible 00:20:01] ground, they lost the cargo. The owner of the cargo sued the shipping company and said, Hey, you lost my cargo. I want my million dollars. And the shipping company goes, no, no, not our problem. Act of God, we couldn’t control it.

Well, it went all way to the Supreme Court. And the Supreme Court said, well, actually no, you are not using things that everybody else was using like a radio. If you had a radio, they could have told you there was bad weather, don’t go up river, stay in port today. And you wouldn’t have lost the cargo. So because you weren’t using the technology that was now considered commonplace and readily available, you are now going to be liable for it. And the same holds true in our organizations. If we don’t do basic things like encryption at rest, encryption at transit, we don’t do things like making sure that we have a firewall in place. You can be held liable for not having those things in place if you have a data breach.

And so now your company’s going to be on the hook of it because of that court case. And that court case was called the TJ Hooper, I believe was the name of the boat, versus whatever, that was the name of the boat and the shipping company versus the company that owned it. And it was like the East American Trading Company or something like that. But you can look up that court case, and it’s pretty interesting that this old court case from 1932, 1933 still affects us in the cybersecurity world today. And it doesn’t mean that you have to use the latest and greatest technology, but once something becomes commonly used as a best practice in your industry, if you’re not following it, you can be held liable. And so that is where that principle comes back to haunt you as a rule, or a law that could be regulatory consequences.

Kip Boyle:
Oh, that’s great. I love how you trumped me on a 1975 paper with a 1930 something court case. Well done. But you’re absolute correct. And notice that even though that court case had nothing to do with computers, it did have something to do with technology, radio, because radio came on the scene and it changed things. And anybody who wasn’t keeping up was at risk for being healthly liable. And well, guess what? We still have that issue today. What I love about the security design principles is that they are independent of technology. So even though we’ve talked just a lot a few moments ago about defense in depth and firewalls and deperimeterization, okay, fine, but we can take the same principle and we can use it in different contexts. So if you were going to design, let’s say a database, and the database was going to be accessed by a bunch of different people from a bunch of different locations, and at that point it doesn’t really become about the network, it becomes about who should be able to see which data fields, which tables, which columns, which rows.

And you’re probably going to need defense and depth strategy there as well. And so that’s great about these principles is that you can apply them in a lot of different situations to help guide your work. Okay, so having introduced the idea of principles, you can get principles from a number of different sources. So you can go to the ISO series and they’ve got a publication on security design principles. There’s a book from the 1990s called Building Internet Firewalls. It was an O’Reilly publication. The people who published the technical books with the animals on the cover, this is one of their first publications that’s actually free on the internet. And guess what? That’s where defense in depth is defined, it was in that publication, that’s where I learned about it. But what we want to talk about in our series is we want to go back to that 1975 paper, and it was written, just to tell you a little bit about it, by two guys, Jerome Salzer and Michael Schroeder, and they released it in a conference of the Association of Computing Machinery.

And so, what they were trying to do is they were trying to describe the mechanics of protecting computer stored information from unauthorized use or modification. Guess what? They didn’t have internet connectivity back then. They didn’t have firewalls as we know them now, none of that stuff. But they were still concerned with protecting digital assets. And it’s fantastic. Over 45 years later, we can still draw upon these principles in the show notes, we’re going to put in a URL where you can go and retrieve the actual paper. And I encourage you to do that before we actually start unpacking each of the 10. We’ll do one per episode, and if you could go grab that paper and just skim it over, then I think that’s the best way for you to prepare for the 10 episodes that are coming up. And let’s talk for a moment about how you use them on the job.

I think we’ve teased this a little bit, Jason, in the episode already, but I would like you to go first and tell us about a time when you used a security design principle to do a piece of security work on the job. And my contention is, is that if you do this stuff, you’re going to be irresistible to your boss. Your boss is going to be like, holy moly. You didn’t just wing it. You actually did this work based on some timeless principles. And as a supervisor, that impresses the heck out of me, and I think that’s another level of work altogether. But Jason, do you have an example you can share?

Jason Dion:
Yeah, definitely. So as Kip said, there are 10 different design principles, and I think one of the most common ones that we personally utilize in our own development is probably principle number two. And I know we haven’t listed all of them, but I’m going to talk about principle two here, which is the principle of fail safe defaults. Now, what that means is that this is a protection mechanism you’re going to put in place that if it doesn’t know what to do, it should deny access by default. And this way, you’re only going to grant access when explicit permissions exist. Now, what does that sound like to you? To me, it sounds like a firewall. When we configure our firewalls, we always have that last statement that says, deny any, any, because firewalls execute from the top of the list to the bottom of the list. And once they find something that allows, they do it. And if there is no allow, then we’re going to deny.

And so that’s one of the principles we use all the time in our networks. I do the same thing with all of our systems we build. We’re currently building a brand new learning management system. We’re just now building through all of the user authentication systems that we’re going to be putting into this. And all that has to have this idea of fail safe by default. The idea if you’re in a building and it uses mechanical locks, generally we do the opposite of that, because if there’s a fire and the power goes out, we don’t want everybody to be locked in the building. So instead we default open, which is a bad security design principle, but a good lifesaving practice. In our computer systems we want to do it the opposite way. We want to close by default. Anytime you’re not sure, lock it down.

Kip Boyle:
Yep, that’s a great example. I’ll give one. I think that I could probably give an example of every one of these principles that I’ve used on the job, but the one I’m going to focus on right now real quickly is least privilege. So when I started working as a chief information security officer at an insurance company, I was just trying to learn the ropes. How do you guys do things here? How do we get things done? And one of the things that I was poking around at is if a new person comes on the job because hey, I was a new person, they were provisioning accounts for me. And I asked them, I said, well, how do you know what privileges I need on the system and how do you know which data I need access to? And they said, oh, well, we’ll just model you after somebody. And I go, well, what does that mean?

And they said, well, we’ll just find somebody who has the same job that you do, one of your peers, and we’ll just give you everything that they have. And I was aghast. Wait a minute. What if you pick the peer of mine who’s been here for 20 years and worked their way up through the organization and along the way accumulated this enormous set of privileges and accesses, and I’m the new person and you just automatically give those all to me? I’m wildly over-privileged. And so that was one of the first things that I said, we’re not doing that anymore. We’re not doing model after, I get it, it’s easy, it’s convenient, and I know that I’ll be able to get everything that I need to get, but oh my gosh, you’re giving me way more than I need.

And on a personal basis, I didn’t want that because what if I made a mistake? What if I was in there doing something and I accidentally deleted something that I don’t need to have access to for my job, but I blow it away anyway because I’m over-permissioned. And so I felt like that really violated the principle of least privilege.

Jason Dion:
Yeah, I can definitely relate to that. I’ve had many jobs over the years working in around the military and the government. And most times when I came in, for instance, one of my last jobs, I was an IT director and they said, oh, hey, you’re here. Great, here’s your account. And they went and found the person who I was replacing, and they basically copied their account and gave me all those same groups and permissions. And I’m starting to get emails for other things in other places because that person had been in that area for three different jobs at three different organizations, but they’re all still in the same network. And so as he moved from job to job, think about if you’re in a large company and you worked in accounting and then sales and then marketing and then development, you grab all these permissions.

So people always add new permissions because they’re like, oh, I can’t do my job. And they go, oh, no problem. Let me add you to that group. But then they never think when you leave to take those permissions away. And so when they gave me all these permissions, I had all these permissions that he had, I was getting emails on every mailing list out there, and I’m like, whoa, this is not what I need. And I had to go through and say, okay, now take me out of this group and this group and this group, but most people don’t. And so that does violate this idea of least privilege and you get all these access rights that you probably shouldn’t have had.

Kip Boyle:
Yep, yep.

Jason Dion:
Yep.

Kip Boyle:
Okay. Well, anyway, so again, we’re going to be unpacking these 10 security design principles in these episodes that are coming up ahead. And we’re really excited about this. We think this is really going to help you really outperform on the job. And so any last words on this introductory episode, Jason?

Jason Dion:
Yeah, the last thing I want to say as we wrap up this episode is that this is one of the reasons why it’s important is that you have to realize these different security design principles. So as you’re building something and you’re working out there, you can bake in security from the beginning. It’s a lot easier if as we’re coding our new database that we think about least privilege, if we think about how we’re going to protect data at rest, if we think about how we’re going to allow controlling access into and out of the database and all those things, as opposed to saying, here’s an unsecured database, it’s now in the network, now put up all the firewalls around it, now put up a web application firewall, now add authentication, now make it two factor, now make it biometric. We add all these different things.

And if you don’t think about that upfront, the cost associated with that development puts you behind schedule, puts you behind budget, and generally it costs three to five times more to do these security features at the end than it would be at the beginning. And I personally, as I said, we’re building an LMS right now. We spent about two months building out the database structure that’s going to host everything we’re going to be doing to make sure that we had not just data at rest, but each individual field in the database that need to be protected would also be encrypted. For instance, if Kip bought a exam voucher from us, we need to make sure we’re protecting not just Kip’s name and his email, but also the voucher code that we sold him. Because if somebody else gets that code and uses it, Kip is going to be out his $400 and he’s going to want me to replace that voucher, which then cost me an extra $400.

So we were really, really concerned with security from the get-go of making sure that everything was being properly done. And so these security principles we’re going to be talking about over the next 10 episodes of this series are really going to help you understand what the thing is. We’ll give you examples of it, definitions of it, and unpack it and how this applies to your role as a cybersecurity analyst or a pen tester or something else inside this world, because these are these timeless principles you always need to be thinking about. So yeah.

So that said, I hope you come back and join us as we go through this 10 part series and talk about each of the 10 principles and really dive into them in depth. With that being said, I want to thank you for joining us for another episode of Your Cyber Path, and my call to action for you this week is that if you’re not signed up for the mentor notes, go over to yourcyberpath.com and on the front page you’ll see a place you can enter your name and your email and sign up for Kip’s mentor notes.

These mentor notes come out every two weeks with the episodes, and they’re going to give you additional information that you can use in your career, whether that’s information about the latest security breaches, whether that’s information on design principles, or things you should be doing for your resumes, your negotiations, your interviews, all that kind of stuff is stuff that Kip has covered in the past with his mentor notes. They’re completely free to you 100%. We’re not going to be sending you a whole bunch of emails every day trying to spam your inbox. Instead, we only want to give you valuable content. They’re short, they’re digestible, and they’re actionable. And so I do recommend going over to yourcyberpath.com and checking out those mentor notes today, and you can sign up right there on the homepage. That being said, thanks again for joining us for another episode of Your Cyber Path, and we’ll see you next time.

Kip Boyle:
See you next time everybody.