Security Mindset

Bruce Schneier‘s remarks about the security mindset, the thinking you need to design effective security countermeasures, to think like an attacker, are interesting.

He’s certainly correct that such a mindset exists and it’s extremely difficult to teach, though I’m not completely convinced it’s something you’re born with. As with many things in life, determination, patience and practice are key factors.

In fact it’s always essential to get an independent evaluation of any complex design, such as cryptographic algorithm. Often the originator is too close to see the flaws. And there always are flaws.

And you do have to think differently. I once hired the late great Donald Davies, the inventor of packet switching, to review a cryptographic algorithm. “How long will it take?” I asked. “It’ll take three weeks” he replied. “Just give it to me in any computer language. I can read them all. And I’ll put it in my head. Three weeks should be enough thinking time. After that we’ll get diminishing returns.” Wow.