“I used to attack because it was the only thing I knew. Now I attack because I know it works best.”
- Garry Kasparov, chess legend
Chess is an oft-used analogy for cybersecurity because there are many similarities between the two. At their core, they are games of strategy which pit two adversaries against each other in a bid to outdo each other in a duel of intellects. The best chess players do not merely apply pre-meditated tactics to win. Rather, they inhabit their opponents’ minds, study their psyches, and view the world from their antagonists’ viewpoint before they even sit down at the chess board. They build defenses ahead of time to force their opponents’ hand, and think three moves into the future to anticipate counterattacks. The goal, of course? Stay alive.
The same goes for cybersecurity: Anticipating cybercriminals’ moves and building appropriate mechanisms to deal with each one is something that must be done proactively, and is necessary to combat the most sophisticated cybercriminals successfully.
While many secure code training programs ascribe to a defensive-only philosophy of responding to threats as they emerge, at HackEDU we understand the necessity of thinking three steps ahead. That’s why our training philosophy encompasses offensive as well as defensive strategy, to equip developers with the most comprehensive knowledge about code-based attack vectors.
Defensive training focuses on ways to defend against known threats by prescribing fixes for each type of vulnerability. It is the ‘how’ of secure coding training. Defensive training alone is great for developers who are learning about secure coding for the first time, as it offers them a gentle introduction to secure coding, but it is limited by both the number of examples and corresponding solutions that the designers of the training can develop, and how much developers who take the training are willing to consume. The knowledge scaffolds in a linear progression, and is limited by the quantity of training consumed.
Defensive training doesn’t help developers to think more critically, as they are taught almost Pavlovian response mechanisms (i.e. this is what I see, this is how I respond) instead of approaching vulnerabilities from a more holistic perspective, and this is its greatest weakness. It is a great starting point for secure coding training, but it’s limited in its ability to help developers advance their secure coding skills beyond a rudimentary level.
The offensive training philosophy focuses on adopting the mindset of attackers, and becoming knowledgeable about their methods. Offensive training offers conceptual knowledge - it is the ‘why’ of vulnerabilities - so that students grasp the underlying principles that cause the vulnerabilities. In developing these skills, developers learn to anticipate how their code could be at risk as they’re writing it, and figure out ways to write more secure code. This is one of the greatest reasons to adopt offensive training - its contributions are exponential, as the shift in mindset, the improvement in critical thinking skills, and the more thoughtful and deliberate coding that results are multiplicative elements. This stands in sharp contrast to the linear amble of a purely defensive approach.
The other primary benefits of including an offensive component to security training? Science has shown that it is superior to just defensive training alone at increasing motivation and improving comprehension of the material. This is of vital importance when rolling out training to developers in a modern environment, as training vies with the product roadmap and other professional and personal priorities for developers’ attention.
NOTE: A common misconception among beginners is that offensive training equates to red team training or pentesting training. While these disciplines are based on offense, they are not synonymous with offensive training.
Winning at chess
Beth Harmon, the protagonist in Netflix’s “Queen’s Gambit” series says, "Do you see it now? Or should we finish this on the board?" If you’re reacting in cybersecurity, you’ve already lost, as your antagonists have already breached your defenses.
By choosing the right philosophy on which to develop your secure coding training program, you ensure the greatest possibility of success for your efforts to prepare your development teams to develop code within a secure software development lifecycle. Choose the wrong one, and you limit how much your investment in training can accomplish. Layering on other concepts, such as gamification, or learning science principles, cannot yield improved results if the foundation upon which they sit is fundamentally flawed. Science has already lent its gravity to the claim that a training posture that includes the offensive component is superior to just defensive training. Combining both offensive and defensive training helps ensure the best possible result for your secure coding efforts.