Tuesday 29 November 2016

Published 'Hacking Portugal' Book

I just published the 'Hacking Portugal' book which is based on the "Hacking Portugal and making it a global player in Software development"  presentation I delivered at BSidesLisbon in November 2016.

You can get it from amazon

or at  https://leanpub.com/hacking-portugal/

All text is released under an Creative Commons license. Please submit any feedback, ideas or fixes at https://github.com/DinisCruz/Book_Hacking_Portugal

Here are the text from the introduction 


This book is based, and expands, on a presentation given at BSidesLisbon on 9 November 2016.

The ideas I consider here look to the future, as some of the concepts are too radical until the AppSec problem becomes much bigger. They are ideas for a future when solutions are wanted.

As technology and software become more and more important to Portuguese society, it is time for Portugal to take them more seriously, and become a real player in that world. This book discusses several ideas to make Portugal a place where programming, TDD, Open Source, learning how to code, hacking (aka bug-bounty style), and DevOps receive the consideration, investment and respect that they deserve. Application Security can act as an enabler for this transformation, due to its focus on how code and apps work, and its enormous advances in secure-coding, testing, dev-ops and quality.

Why I’m doing this

I have been studying this area, and its various challenges and possibilities, for some time, and for many reasons.

The current economic model is not working for secure code and secure software development, and it is not working for many parts of the general population. In many cases, it doesn’t make business sense to spend the time and effort creating secure code, because the customer cannot measure it. I believe we must innovate our way out of this problem.

I have considerable experience working in the AppSec industry, and this allows me to see the problems coming down the line. However, the same experience also allows me to see solutions to the problems, and I want to share and discuss my ideas for these solutions. Moreover, I want to create a safe future for our kids.

Summary of Chapters

In 'Portuguese network to be hostile to insecure code’, I discuss the possibility of Portugal becoming a hostile place to create, publish or host insecure apps or IoT appliances. The creation of a safe internet in Portugal is possible, but it will need the support and input of Creative Commons, regulatory and market forces, and communities, for it to work. We need new ideas and different perspectives for this to succeed.

‘Hackers’ considers the term 'hackers’, as opposed to 'attackers’, and discusses how hacking can help to create a secure internet for Portugal. The sound ethical values of the hacking community can inspire the next generation of internet users.

‘How Secure is Portugal’ examines how Portugal, despite being a digital country with a great dependence on software, has many vulnerabilities and exploitable assets, which make it highly vulnerable to cyber-attack in the future. Implementing the correct measures, for example by utilizing and increasing the InfoSec and AppSec talent available in Portugal, will help to mitigate the risk of attack.

‘Portuguese Hacking Service’ suggests that 15-20 year olds should undertake their 'Hacking Service’, a new version of the former Portuguese Military Service. The chapter also looks at the Portuguese military budget, and argues that a percentage of it should be diverted into virtual battles against cyber-attacks on Portuguese assets. Everyone should learn to hack, including criminals and retired people, for the general benefit of Portuguese Government, business, and society. New structures like a ‘Portuguese Hackathon League’ would develop Portugal into a country as famous for hacking as it is for football.

‘Portuguese Innovations’ looks to the glorious history of Portuguese innovation, from the Carrack ship to marmalade, to the more recent success of drugs decriminalization in Portugal, which has dramatically reduced the rate of drugs overdoses and drug-related deaths.

‘Leader in cyber and application security’ looks to the future of Portuguese innovation, and notes that where Portugal led the way in maritime navigation and innovation in the past, it should now become a world leader in coding and AppSec. The chapter offers some pointers to developers. It also describes cyber security as a public health problem, and states that the techniques used to train cyber security specialists should resemble those used to train medical professionals.

‘Privacy’ discusses the importance of privacy to the individual. It notes how cryptography can help the individual to control their data, in a world where some governments and businesses act to reduce, or remove, the technological privacy of the citizen.

The chapter goes on to consider the need for disclosure in companies, and the role whistleblowers have to encourage disclosure and improve how markets work. We need legislation that protects whistleblowers and compels disclosure, to create an environment where there is maximum privacy for the individual, and maximum transparency for companies. The way the music industry resisted technological innovation is used as an example of the negative consequences of secrecy and non-disclosure.

‘Open Source’ develops the ideas discussed in 'Privacy’, and notes the importance of openness and transparency to the success of the arguments presented. Programs such as OWASP, Git, and FOSS can help to achieve the desired level of transparency. The chapter discusses the need for Open Source to become a lingua franca, and it suggests specific legislative changes to increase transparency at government and corporate level.

‘Government’ acknowledges the role of government as a benign influence to effect change. The chapter recommends the establishment of a Ministry of Code and a Software Testing Institute, but warns that these must be matched by sensible regulation and governance. It also proposes a Clear Software Act, focused on code quality and security. Bug bounties are suggested, and the role of the insurance industry discussed. The European Union, and the creation of new currencies for weaker economies, are also treated.

‘Why Portugal’ explains why, from its size to its culture and economy, Portugal is the best location to implement the ideas presented in this book. The chapter concludes with the options facing Portugal: to become a holiday destination, or a Powerhouse of Technology, ready to lead the world in code and security.

‘Actions and Recommendations’ summarises the actions and recommendations suggested throughout the book.