Laurens van der Blom
Laurens van der Blom

Software architect. Security professional (CISSP). Fitness/bootcamp guru. Obstacle runner. Ski lunatic.



Happy, healthy and secure 2020!

Published: Wednesday, January 1, 2020
Word count: 1416. Estimated reading time: 7 minutes.
Share:

TL;DR

No summary this time. It's just this one whole post. Enjoy!

Here's to a happy, healthy and secure 2020!

2019 has been a busy year. Lots of work done, participated in lots of sport activities, unfortunately also had some setbacks in a few areas, and most of all: successfully achieved my CISSP certification! The study for CISSP took a lot of my time. It was a lot of material to go through, and combined with work and sport I had little time left for myself. I was aware I could not do much for my website during this period, despite my intention to keep it up-to-date regularly. On Twitter and other media sources I did follow plenty of information security news and I'm glad to see that it is such an active community with many knowledgeable people who contribute to a better and more secure internet.

It reminded me of the Contract of the Web. It's a manifest written by Tim Berners-Lee, the founder of the world wide web. He is strong supporter of the following core principle of the internet: bring people together and make knowledge freely available. The components (principles) of the manifest are targeted at different groups: governments, companies and citizens. Each group has a set of responsibility to achieve and maintain that core principle of the internet. Several organisations have signed that manifest, indicating that they intend to uphold it and make the internet widely available and keep it secure. It's a huge responsibility for those involved.

Let's go back a little bit, using the above in the context of security and privacy. Governments and companies must ensure security and privacy in their software implementations on the web (i.e. websites and web applications) and plenty of them are really trying, with or without certifications in this area. Unfortunately, there are still problems. Some organisations respond quickly and transparently to solve the problems, others do not. I have written an article about this. I'd like to point out some specific problems below.

Firstly, nowadays there is a lot of data about people stored everywhere in this world, data about everyone, including you and me. There are companies that harvest such data for reselling or advertising purposes, with claims that they are anonymised, but the data breaches usually show otherwise. Then there is also the actual, non-anonymised data that governments and companies use to provide or sell products and/or services. If they leak, then that is already a big problem and could potentially be already the end of you, so to speak (see, among others, also the Ashley Madison data breach). The problem grows even more when multiple sets of leaked data can be correlated. The data harvesters therefore also play a substantial role in this play. Troy Hunt has written plenty of articles about it. See here and here. Same for Scott Helme on more technical matters that help you protect the data in clever ways. See here and here. I strongly advise you, if you're involved in such matters, to read these articles (and subscribe to updates from these people as well).

One could say that there are not enough facepalms in this world to cover for all those security incidents. It's always one too many. Don't get me wrong, I know security is a difficult subject and it's not easy to create a balance between business/functional requirements and security (and other non-functional) requirements in development processes. After all, the first is a lot more tangible and visible than the latter. Functionality is what brings the core value (or business value, depending on how you look at it) of a software implementation. It's not just development either: it's also the organisation as a whole that still stores data about (among others) its customers, its suppliers, its employees and its intellectual properties, which must be protected as well. To get that done in large organisations with people, especially the management and the managing board, with limited knowledge about this subject matter is difficult, to put it lightly. There are also the small organisations and one-man-businesses, of which owners cannot afford the time (and money) to go in-depth about this subject all by themselves. This is why guidance from people with knowledge and experience is necessary.

Secondly, on a different note, an interesting subject is digital voting and why it should not be done. Tom Scott explains it thoroughly, twice. See here and here. It has been recently covered in the news as well. Yet, attempts are still made to get digital voting working. My personal opinion is that some things can better be left the old fashioned way, so let's just do that. People understand paper and can observe the entire process. Basically, the Big Community is watching, which makes such elections robust against attacks. Who is to say that a digital implementation is safe from that? No one really understands how computers work and even if some do, there is no guarantee computers work without errors. They may assist, of course, for instance in counting votes for exit polls, but people have the final say by double or triple checking manually.

Yet, there are governments that think differently about digital voting and pump money into it. While that may not necessarily be bad by itself (research is one of the fundamentals of growth of mankind) and while the intentions are good, governments (and companies) must be aware that there are things that cannot be done. Some things may be with enough time, but other things just are not. In this context, people must be aware that decisions must be made based on the correct information, especially when they don't master the subject.

Thus, my point is that everyone (i.e. governments, companies and citizens) needs everyone (i.e. governments, companies and citizens, again). It could be a software project built by an enterprise company, some project funded by the government, or it could be a (serious) hobby of an individual. It does not matter: the problem is that no one can ever know everything, let alone have the right people in house who can do everything. It is and has always been a team play, where knowledge is crucial and must be shared, in one way or another. Such a team should consist of pretty much anyone with the right knowledge, not just the people in house or just yourself. By being transparent in what you're working on, you allow other people to contribute to your work, be it actual software contributions (i.e. open source), knowledge contributions or something else. Basically, it helps you to make the right decisions, whether (for example) it's about improving the quality of a software product currently in development (and how) or about the choice to implement digital voting or not (the latter of which should be clear by now).

It does not really matter if external support is enterprise support from other companies or people, or support from communities: there are always people who know more about specific subject matters than you do by yourself. That's why what I saw on Twitter and other media sources reminded me of the Contract of the Web. A little bit of cooperation can get you a very long way. Learn from the experience and knowledge of others. Or, in other words, just do what Joe de Sena from the Spartan Races says here: it's applicable for pretty much anything! But don't forget to stay critical by using common sense and (if applicable) using your own knowledge. When in doubt, always get a second opinion.

With all that said, I propose to a new happy, healthy and secure year! Let's make 2020 a good one! I intend to keep this website more up-to-date in line with what I've said above, so there'll be more content to follow! I also intend to pursue more certifications regarding security, not only to contribute to the development of more secure products for my current employee and to sharing knowledge with fellow colleagues, but also to contribute more to the information security community itself for a better and more secure internet. So, see you around!

On a side note, I have now added a new section to my website, called Sport statistics, where you now can see my achievements regarding sport. It's mostly for myself, in order to have an overview of what I've done so far, but let it inspire you as well to go out there and have fun (and then win)! Let's sport!