On Higher Order thinking
Learning via reading is easy. But can you apply it in real-life scenarios? If not, it’s the same as if you never learned it in the first place. The beginner’s rut is real, as we talked about in On Learning – Avoiding Mediocrity. A good security researcher must also be a good security architect or engineer—or at least have that mindset. This will set you apart by a thousand miles.
Let’s say you know about OWASP Top 10 and the basics of web app security (session management, user management, a little bit of DNS/HTTP security). What should be the next step? How can you avoid falling into the beginner’s rut? You need to think in higher order and look past the easy stuff. Go beyond simple memorization. And start the process of applying, analyzing, and synthesizing.
Here’s how I would approach it if I only knew the basics of the topics listed above and wanted to take the next leap: I would try to tackle a problem of the following nature:
Design a secure, zero-trust, multi-tenant SaaS platform (e.g., an AI app builder) that provisions dynamic subdomains (e.g., tenant-id.foo.com) for thousands of users daily, with a primary emphasis on defending against cross-tenant attacks, data exfiltration, and privilege escalations.
Security Focus Areas:
- Automate per-tenant certificates and enforce HSTS to prevent MITM attacks and ensure encrypted traffic isolation per subdomain.
- Secure subdomain provisioning to mitigate hijacking risks, including validation of ownership and automated cleanup of stale records.
- Implement MFA, token binding, and just-in-time access controls with subdomain-specific sessions to block unauthorized lateral movement. Also, ensure cookies are not scoped to
*.foo.com. Requests betweentenant-a.foo.comandtenant-b.foo.commust be considered cross-site, not same-site.
This exercise will take you beyond the basics. You’ll learn:
- Zero-Trust Architecture Fundamentals
- Multi-Tenant Subdomain Provisioning
- TLS Certificate Automation and Security
- HSTS Enforcement
- DNS Security Best Practices
- Token Binding Mechanisms
- Just-In-Time (JIT) Access Controls
- Subdomain-Specific Session Management
- Cookie Scoping and Security
- Cross-Tenant Attacks
- Privilege Escalation Defenses
In the words of Henry Ford:
Thinking is the hardest work there is, which is probably the reason why so few engage in it.