How being public by default in security builds trust

{::options parse_block_html="true" /}

We sat down with GitLab sr. security researcher Mark Loveless to talk about his role, how he sees the tech industry changing and the freeing feeling that working public by default (even in Security) brings and the trust that it builds.

Name: Mark Loveless

Title: Sr. Security Researcher

How long have you been at GitLab?: I joined February 2019

GitLab handle: @mloveless

Connect with Mark: LinkedIn / Twitter

Tell us what you do here at GitLab:

I perform research on security-related issues to help protect GitLab team members as well as GitLab customers. This can involve researching a new product feature, evaluating a SaaS product that GitLab is using or considering using, or educating others via presentations and blog posts.

What’s the most challenging or rewarding aspect of your role? Security should be painless and just a natural part of someone going about their day. If a process is implemented that makes things more secure and it causes no friction to the point that most people do not even notice it, then I’ve done a good job.

And, what are the top 2-3 initiatives you’re currently focused on? In my role, I’m focused on:

• Outreach via blogs and security conferences. Here’s a sample blog that has links to several other posts I wrote about GitLab’s Zero Trust journey, “We answer your most popular questions about our Zero Trust journey“
• Securing the product. This blog post, “GitLab instance: security best practices“ was one that many in the security department helped me with and was written to help our customers harden their instances.
• Occasional mouthpiece to the press on GitLab and industry security practices; again part of that outreach effort. An example: "Remote Work Has a Hidden Challenge: Data Security".

What is the most significant piece of security advice you could provide to a colleague or friend? Even though it is boring, do not forget the basics! This includes patching, unique passwords, and always using two-factor authentication. The press is full of stories of exotic attacks and flamboyant new bugs, but the basics eliminate the vast majority of threats.

How did you get into security? It all started as exploring, discovering that one could get into systems one was not supposed to be in. I loved it. As I got better at what I was doing, I also improved in the tech field in general, since I had to learn what system admins would do so I could avoid getting caught and being kicked out of some server. Eventually I got jobs in the tech field, and as I progressed I had a knack for the security aspects, and it went from there.

From the perspective of your role, what’s GitLab doing better than anyone else in terms of security? Openness. When I first started it seemed horrifying that all of the code and the handbook were so open, but in actuality it is quite freeing. We’re “default open” (public by default). Now this applies to the entire company and not just the security department, but it is nice that we don’t have to worry about security decisions becoming public; they will be regardless. This keeps us honest, and when someone is honest you’re more likely to trust them. This strengthens our security posture in that when we claim to be secure it can be verified, and as issues are identified (by team members or the GitLab community) we can fix them as openly as possible.

What was your personal worst moment in the Infosec world and how did you recover? I have been let go from my job twice, both times after a buy-out. In one case the buying company had a policy against hiring hackers, but I expected it and I had another job lined up through a friend in the industry. In the other instance, my job went away and I did not want to transition to another department since it would involve moving. I took my buy-out money and decided to take some time off, or “funemployment”. A friend of mine named Kathy Wang - an early leader here at GitLab who helped grow the security department - saw my blog post about my time off and reached out, mentioning GitLab. So the important lesson here is that maintaining friendships in the security industry can really help in times of need. And you never know when you’ll be in a “time of need.”

Name your favorite accomplishment that you are totally not known for. I was at the very first few Black Hat Briefings in Las Vegas. While a researcher at a tech firm that was a sponsor at one of those early Black Hat events, we had a brainstorming session where I came up with the idea that we should have an open bar event. Free of charge, no sales pitch stuff, just drinking and networking. It is the norm now, or at least it was pre-pandemic when conferences were in person. YOU’RE WELCOME.

Play nostradamus for a minute. Tell us how you see the tech or security landscape changing in the next 5 years?

I believed that the tech industry itself would continue the move to all-remote or at least remote first, but the COVID-19 pandemic has accelerated that quite a bit. As a result I think the principles of both Zero Trust as well as BYOD (Bring Your Own Device) will become more of the norm as the tech landscape will be nearly all remote. Any company that is cloud-based with an Internet presence can do this, so many non-technical industries (marketing agencies, consulting firms, and so on) will move in this direction as well. I also believe that a passwordless world is possible, as two factor can consist of factors besides a password like biometrics and a U2F device (e.g. Yubikey), and that within five years this will start to truly become a real thing with actual industry acceptance. I’d love to see that happen, the password is simply one of the biggest failures and worse engineering designs ever.

Now, for the questions you really want to have answered:

What’s your most interesting experience while traveling? I was stopped by TSA and I tested positive for TNT. Here’s the whole story.

When traveling, packing cubes or no packing cubes? Packing cubes. My packing ritual is minimalistic. Everything is wear a pair, pack a pair, and I do sink laundry every night (I bring my own soap for this). The idea is that I have all of the tech, clothing, and accessories to last on a three week trip with a single backpack. A bad storm and a packed airport can turn an overnight trip into a week-long ordeal, and I am prepared. This requires an insane level of discipline and planning, and packing cubes are essential to making this process easier.

When you’re not working, what do you enjoy doing/how do you spend your free time? It’s a toss-up between playing and recording progressive metal music and working in the woodshop. Both are fun and I’ve done them for years.

If you were stranded on an island, what three things would you bring? A water purification kit or Berkey water filtration system, a fully charged GPS, and a fully charged satellite phone. I’d immediately call for help with my exact coordinates, and sip on freshly-filtered water until help arrives.

Photo by Thomas Jensen from Unsplash.