Developers must have a warrior mindset and begin to play war-games if the eternal battle against hackers is going to be won, said Oracle’s chief security officer, Mary Ann Davidson.
“Those who design and build critical information systems need a warrior mindset reinforced by warrior training and war games,” she told an audience at the ASIA National Conference. “The reality is systemic risk can’t be mitigated.”
Davidson, a US military vet, said developers have a lot to learn from how the military plans and carries out its operations. In particular, it’s fatal to assume boundaries – such as network perimeters and firewalls – will always hold.
“The US Marines know there will always be breaches in the perimeter,” she said. “And they also know there will always be casualties. That’s why everyone in the Marines, from an office administrator to a sniper, is trained to take up a rifle in defense.”
One key to instilling a warrior mindset is to change the way developers are educated at the tertiary level. “Every developer must start to think like a hacker,” she said. “Too often, when a security breach is found, the developer turns around and says ‘but it wasn’t designed to do that.’”
Security, she added, must be embedded in the class, and in the curriculum. “Lack of software assurance is a cultural weakness manifest as a technical weakness,” she said. “You simply can’t win on defence. You have to go on the offense.”
Davidson was speaking at the Australian Information Security Association Conference in Sydney.