Laura is the founder and lead consultant for SafeStack, a security training, development, and consultancy firm. What does that mean exactly? SafeStack helps organizations choose the right kind of security best practices for them. Then, Laura's team shows them how to implement those new-found security protocols. This usually calls for a strong dose of workplace culture change, which might sound like a tall order, but Laura tells me in this interview "we want security to be any empowering tool for growth rather than a costly hindrance to innovation."
Why do you write systems that electronically attack people?
I like people. I really do. I care deeply about how we keep ourselves and each other safe in this connected world we have built. But, there are a lot of people out there that don't think like us. They want to attack people for personal or political gain. They want to steal and cheat their way into a better position. So, we need to learn how to protect ourselves from people like that. But to do so, we need to know how we would react first. Before it gets real.
SafeStack is the company I built to simulate those behaviors for businesses, in a safe and controlled way, so that they can learn how to protect themselves effectively.
What can you tell us about the security tools?
At this point there are very few human security tools avaliable. The primary alternative is the Social Engineering Toolkit, which is open source. This tool however is squarely aimed at social engineering penetration testers (offensive security) rather than defense and education. At SafeStack, we use a great many non-security tools and technologies, in addition to AVA, to get the job done—from container systems such as Docker, to authentication and directory management systems such as LDAP.
What were your top concerns when you open sourced AVA?
AVA is a complex system that allows you to create and send potentially malicious or mal-intentioned messages to people in your organization. It also maps the connectivity of people in an environment and identifies who would be most at risk from this sort of attack. I thought it was important to make it open source, but my concern was giving access to it to those with less noble intentions, or lowering the bar for less able attackers to get involved.
Are you able to keep it out of the wrong hands?
Sadly, I think if someone is sufficiently motivated they will always find a way to do something wrong, regardless of the protections we put in place. I think however by making sure the tool is engineered to be closely tied to good privacy practice and its mission, we ensure the engineering work required to make the tool useful for alternative purposes will outweigh the benefit of doing so.
What are some of the problems SafeStack is trying to solve right now?
At SafeStack we are bring security practices and culture into fast moving, fast growing organizations around the world. Focused on ensuring the applications and organizations we build are secure by design, we want security to be any empowering tool for growth rather than a costly hindrance to innovation.
Our primary focuses are agile/continuous application security (whole development/deployment life cycle) and human centric security (protecting our people).
This article is part of the Speaker Interview Series for OSCON 2015. The OSCON is everything open source—the full stack, with all of the languages, tools, frameworks, and best practices that you use in your work every day. OSCON 2015 will be held July 20-24 in Portland, Oregon.