Cognitive Bias — or How Do You Overestimate Your Competence.
The current computer security landscape is a rapidly evolving playground. Many companies who try to avoid data breaches often find that it’s difficult to keep up with cybersecurity innovations. Whether you are a software developer or a technical decision-maker, it is in your personal interest to pick the tool that will keep your application secure.
In this blog, you will find out:
- How to avoid cognitive bias in your own knowledge or competence so that you can make an adequate decision on avoiding data breaches
- What is a secret and why you should use a secret management tool
- And finally, best practices one can undertake to avoid sustaining damage
Cognitive bias
Two psychologists, Dunning and Kruger, found that when we don’t know what we don’t know, we overestimate our abilities. This cognitive bias is known as the Dunning–Kruger effect.
You might not have heard about the Dunning-Kruger effect, but there is a high chance you have felt yourself as almost an expert while being just like the beginner. While one picks up a new hobby — self-deception is not as critical as it can be when one makes a decision for organization security. According to a survey from ZDNet, “68% of the security professionals surveyed believe it’s a programmer’s job to write secure code but they also think less than half of developers can spot security holes.” Moreover, while developers are expected to write secure code, they are rarely advised on how to do so! In order to avoid a self-deceiving point “I know everything”, let the true experts who invest a sufficient amount of financial and human resources in the topic guide you.
To write secure code is not enough
Assume that developers actually write code 100% free of vulnerabilities. What is your trust model of who needs to have access to what? What are your secrets and where do you store them? How those secrets can be maintained? A secret is a set of different credentials that grants access. A secret is something that will elevate your risk if exposed to unauthorized entities. Some examples of secrets might be usernames and passwords, database credentials, API tokens, or TLS Certificates. Once those are exposed or managed unproperly, besides having a data breach through unauthorized data access, you also can receive severe regulatory fines.
One of the challenges of maintaining a high security guard is when secrets to a production environment are stored locally. If a developer claims that he doesn’t store credentials locally and at the same time ssh to any VCS that has a production environment, the application is introduced to vulnerability. In the picture above you can see a few points where threats to your sensitive data can be introduced. The list starts from the point when a developer stores his credentials in a plain text file or leaves secrets unencrypted in the configuration management tools (like Chef, Puppet, or Ansible). Later, if there is no mechanism that encrypts credentials at the application level, those can leak into log files, any sort of monitoring, or diagnostic outputs. At last, if the data is not encrypted in transit or at rest, your sensitive information can be compromised. As a result, if you do not have a secret management tool that allows you to centrally store your secrets in a secure manner, you do not have the fine grain ability to manage secrets and an audit trail.
The Solution
While there is no 100% guarantee for safety across your entire cybersecurity, HashiCorp Vault solves all of the concerns listed above. Vault addresses the challenge of security for distributed application infrastructure in the low-trust network model of cloud and on-prem systems. With Vault, you can manage your secrets and protect sensitive data. The smartest minds are contributing to Vault's existence. As an example, Jeff Mitchell has hacked on dozens of open-source projects over the past decade and now he is living the dream of being paid to work on open-source software full-time as the project lead on Vault. You can check his presentation on Managing Secrets in a Container Environment and get more insights on effective approaches to secrets management. Vault is also popular among its users — Adobe, Exunix, Splank, Barclays, and many others trust Vault. While it is another topic of how Vault can resolve your pain points, the value of having Vault in your organization will continuously grow over time.
In Conclusion
Security stays consistent as your application will increase its complexity. The security of your application is not a destination, but rather a journey. At least, allow that journey to be a low-stress and pleasurable one.
Learn more about HashiCorp Vault here: https://www.hashicorp.com/products/vault/
