Why I ran a lock-picking session in my office.

“What an opportunity to demonstrate the power of collaboration between security and engineering when building a product.”

Head to any major security conference, be it B-Sides, BlackHat or DefCon you’re likely to come across a lock picking village. But why?

Aside from the fact that it’s good to just sit and be still (see n number of posts on mindfulness), I truly believe lock picking provides a good ice breaker and an avenue to talk about the importance of security.

Take your standard padlocks (4 pin tumbler locks) are common and meet functional requirements, they’re built for a specific threat model and perform their job well. The padlocks though, are really easy to pick, the tools are easily accessible and tutorials are all over the internet. To me, they’re a good example of building purely to one set of (functional) requirements, and only testing against one set of (functional) requirements. The product works, it sells but it’s not secure. In addition, introducing security now requires a complete re-design of the mechanics, hugely costly.

Encourages shifting security left

When I run these lock picking sessions I talk about the power of having security (and other SME’s) engaged right from the beginning. We can provide design support, review architectures, test as we go and become trusted advisors. We can also talk about Threat Models, and how security can support even at the design and ideation phase. Threat vectors, the threat landscape and threat actors. For example, in London, a strong 4 pin padlock protecting my bike is more at risk from bolt cutters than lock picks so that should dictate how I decide to protect my asset. That might not be the case everywhere.

Introduces the concept of security testing

Not just pen testing, but actually testing the security of a product at every stage. When we lock pick we have an opportunity to discuss the mechanics of the lock and why it’s easy to pick, even when we change to other tumbler style locks. Introducing the power of a security engagement in ensuring the vulnerability wouldn’t be passed on to other implementations of the mechanics (hey spring loaded locks). We can draw parallels to discussing engineering patterns and how we can introduce security tests in the same way we use functional/ load/ requirements testing to validate the presence — or fix — of vulnerabilities continuously (e.g. every build).

Builds (security team) brand awareness

Lock picking sessions are great advertising tools too, I do some up front advertising on Slack, in office newsletters and via word of mouth but there’s nothing like taking over one of the tables in a communal area to catch that drive by traffic with “wanna learn how to pick a lock?”. These types of sessions are disarming, people are intrigued, they want to learn more and now, as they take time learning how to hold the picks and use them, you have a captive audience to talk about security with.

Most importantly, they know who you are now. You are a contact in a team they may have known little about, a resource they can use to ask questions of, look to for advice or even confide in.

It’s totally legal, cheaper than running multiple team lunches and good fun. Why not try it?

As an FYI the best picks I’ve used are by MadBob, these don’t tend to break easily and are much nicer to hold than other cheaper brands. However, there’s nothing wrong with using a cheaper set on Amazon, just be prepared for them to break!