What I Learned at DEF CON 27

As a component of our research on developer motivations, I spent several August days in Las Vegas at the 2019 DEF CON hacking conference. It’s a fantastic community of people who spent their time openly teaching me everything from how to disguise signals between remote systems inside cached DNS requests to which antenna shape would improve the Wi-Fi coverage on my patio. It’s one of the most diverse groups in tech and one of the most welcoming, happily embracing the weird and the unusual with an open door to outcasts and non-traditional thinking. I learned a great deal from them - some of which I probably shouldn’t blog about! - but wanted to especially share with you a development culture perspective.

Hey, these hackers are just engineers!

Firstly, they aren’t really that weird. They have a lot of the same challenges, frustrations and desires as all the developers building enterprise software all over the world. Actually, some of them do that too, during the day! Just like every other software team out there, they care about the quality and reliability of their code. They are often collaborating with a team and building apps and systems together, but often without the luxury of enterprise collaboration tools or the budget to fly across the world to meet around the whiteboard. Sometimes they don’t even know their teammates’ real names! This means that code integration tools and careful management of dependencies are extremely important for them. It’s not uncommon for an ambitious hacker to write code that will be released once and never updated - because there’s never another opportunity to access that system - so testing in production-like environments is even more useful and being able to configure test environments on-demand that are identical and plentiful has been a very powerful tool for them. You might think your organization is highly nimble and has been extremely quick to adopt ephemeral containerized infrastructure, modern DevOps and a microservices architecture but these independent developers are definitely adopting new technologies faster than the enterprise.

Creative developers are creative

The hacker community - and to many extents, the open-source community - are examples of the innovation of intelligent people when left to their own creativity to solve problems. Without restrictions on tools, platforms or programming methods, they are free to be extremely open-minded and often solve problems in ways no one would have conceived. This is why we have “hackathons” in our offices as an attempt to capture some of this collaborative innovation. It’s why our industry tries to give developers time for inspiration-driven passion projects. It’s why we here at CloudBees shout from the rooftops how important it is to enable developer creativity and give your software engineers a reprieve from tedium. Your team is brilliant and creative and innovative, too, as long as the business can avoid hitching too many anchors to their sailboats.

Security is a lifestyle

Who do you think spends more time and energy every day thinking about, researching and testing application security, your development organization or the hackers hoping to compromise your system? I bet you know that answer, and it terrifies you - or it should. The hacking community lives and breathes security, and they are extremely serious about it. It’s not just a bunch of tin foil hats at the keyboard - these are people that question every USB port before charging their phone, check website certificates before entering their password, and that can count off the list of unpatched vulnerabilities in your version of Linux on their fingers. Is your organization this serious about security, or is it just a necessary evil that many of your people only pay attention to long enough to pass their security training? Professional system compromisers are exploring software weaknesses, hardware vulnerabilities, physical access, personnel-based social engineering and categories of approach that you aren’t even thinking about yet, both so they can use them to bypass your walls but also to protect their own systems from you, the authorities, and each other. Exploits are a business of creativity, ingenuity and patience, and you can bet they aren’t simply doing the minimum required and going on about their day. They certainly aren’t trusting their cloud providers to protect them - actually, they fundamentally mistrust them and take steps to protect their data from infrastructure that may willfully or accidentally expose it. Even in your own datacenters, there are key architectural decisions you might be making that may limit your ability to secure your systems later. So, if your DevOps isn’t actually DevSecOps and you aren’t involving your security professionals all along the development path for every application you create, some boot-quaking is entirely justified.

The Lessons of DEF CON

In just a few sentences, these are my takeaways for you from #hackersummercamp. Embrace the tools and culture that give your teams their best chance to be creative. Hold them to a high standard of security at every step of the software process and expect the rest of your organization to hold such high standards, as well. Stay abreast of what the independent developer community is building and be open-minded to new tools and techniques it might make sense to adopt. Also, go give your CISO an HR-appropriate hug because they have some very creative hackers to worry about.

Additional Resources:

• How to achieve DevSecOps without compromising speed

• Uniting DevOps and security for government agencies

• Learn how to successfully move to DevSecOps