On Higher Order thinking
Learning via reading is easy. But can you apply it in real life? If not, it's the same as if you never learned it in the first place. The beginner's rut is real, as we talked about in On Learning. A good security researcher must also be a good security architect or engineer, or at least have that mindset. This will set you apart by a thousand miles.
Let's say you know about OWASP Top 10 and the basics of web app security. Session management, user management, a little bit of DNS/HTTP security. What should be the next step? How can you avoid falling into the beginner's rut? You need to think in higher order and look past the easy stuff. Go beyond simple memorization. Start the process of applying, analyzing, and synthesizing.
Here's how I would approach it if I only knew the basics of the topics listed above and wanted to take the next leap: I would try to tackle a problem of the following nature:
Design a secure, zero trust, multi tenant SaaS platform, something like an AI app builder, that provisions dynamic subdomains like tenant-id.foo.com for thousands of users daily, with a primary emphasis on defending against cross tenant attacks, data exfiltration, and privilege escalations.
Security Focus Areas:
- Automate per tenant certificates and enforce HSTS to prevent MITM attacks and ensure encrypted traffic isolation per subdomain.
- Secure subdomain provisioning to mitigate hijacking risks, including validation of ownership and automated cleanup of stale records.
- Implement MFA, token binding, and just in time access controls with subdomain specific sessions to block unauthorized lateral movement. Also, ensure cookies are not scoped to
*.foo.com. Requests betweentenant-a.foo.comandtenant-b.foo.commust be considered cross site, not same site.
This exercise will take you beyond the basics. You'll learn:
- Zero Trust Architecture Fundamentals
- Multi Tenant Subdomain Provisioning
- TLS Certificate Automation and Security
- HSTS Enforcement
- DNS Security Best Practices
- Token Binding Mechanisms
- Just In Time (JIT) Access Controls
- Subdomain Specific Session Management
- Cookie Scoping and Security
- Cross Tenant Attacks
- Privilege Escalation Defenses
In the words of Henry Ford:
Thinking is the hardest work there is, which is probably the reason why so few engage in it.