The Iron triangle was initially about the policy making relationships in US politics fixed relationships between congressional committees, bureaucracy & interest groups.
 In security it became a short hand for the relationship between ease of use, performance and security.
 Unfortunately this had a negative impact on the industry as it lead to the belief that you had a fixed trade off between security, ease of use and performance.

1. The Myth of the Iron
Triangle in Cybersecurity
Sherif Mansour

2. Bio
• OWASP Foundation Board Member - Treasurer
• OWASP Foundation London Chapter Leader
• Product Management - Cyber Security @ a Financial Services
Company
• Previously - Application Security Lead @ Expedia
NOTE: This presentation does not reflect the views of my current or
previous employers.

3. Introduction
The iron triangle idea was first introduced in 1956
regarding US politics by Gordon Adams and the concept
eventually made its way to security.

4. The Iron Triangle
The Iron triangle was initially about the policy making
relationships in US politics fixed relationships between
congressional committees, bureaucracy & interest groups.
In security it became a short hand for the relationship
between ease of use, performance and security.
Unfortunately this had a negative impact on the industry
as it lead to the belief that you had a fixed trade off
between security, ease of use and performance.

5. What are some of the impacts?
• Is there a fixed relationship between security and
ease of use?
• Is there a fixed relationship between security and
performance?

6. Why is this a Myth?
Albert Einstein: The definition of insanity is doing the
same thing over and over and expecting different
results.

7. Why is this a Myth?

8. What is possible?
• Can we have better privacy without an impact on ease
of use?
• Can we have better security without impacting
performance?
• Can we have better security without an impact on
cost?

9. The Answer is….
Yes!
But there are other trade-offs…

10. Examples
• The Signal Protocol
• Let’s Encrypt
• The Rust Programming Language
• Universal 2 Factor Tokens

11. The Signal Protocol
• End to End Encryption Protocol
• Initially designed for TextSecure based on OTR
• Moved to Axolotol Ratchet (now known as the
signal protocol).
• Provides end to end encryption to messaging
services such as Skype & WhatsApp with easy of
use and functionality.

12. What is the current challenge?
Alic
AliceBob
Unauthorised Intercept

13. How does signal work?
Keys {
Ratchet {
Deliver {
1) Phone asks for next public pre-key for recipient
2) server sends back identify key and prekey
5) phone sends encrypted message for server to pass along
6) server responds with status
3) phone generates an ephemeral key
4) phone does EDHE to derive master key

14. The Result?
An easy to use end to end encryption messaging
protocol.

15. Let’s Encrypt
Significantly increasing the use of the encryption on
the internet by making TLS certificates free.

16. The Challenge
• If you needed your website to use HTTPS, you
needed to pay a vendor.
• There was a cost for the adoption of encryption
on the web.
• This also led to many complex security designs on
many sites (secure.example.com).
• Also - if certificates expire - browsers would load
a large error screen.

17. Solution
• Make Certificates free!
• Automate the process of certificate renewal

18. The Rust Programming Language
• Firefox’s move to a more secure and easy
to use language to make it’s browser safer
and after to use than ever before.

19. The Challenge
• A study from Microsoft showed across all
their software - memory safety is the
cause of roughly 70% of the security issues
in their software.
• Programming languages which minimise
these issues often have a large runtime,
and performance issues (java, python
etc..).

20. The Solution
• A programming language with a small
runtime, high performance and memory
safety.
• Rust is currently being used at Mozzilla,
Facebook, Google and many others.

21. What is the tradeoff?
• Long compile time.
• A more complex language

22. Universal 2 Factor Tokens
Google’s efforts to limit the impact of
phishing attack through the use of usable &
functional 2 factor tokens.

23. The Challenge
• MFA does not have a simple user experience.
• These MFA codes can still be still phished/
social engineered.
• There isn’t a vendor neutral approach to MFA.
• There isn’t an agreed web interface on the
browser for MFA.

24. Initially Vendor Specific

25. The FIDO Alliance
• Fast IDentity Online
• Universal Authentication Framework (UAF)
• Universal 2nd Factor (U2F)
• Client to Authenticator Protocol (CTAP)
• WebAuthn (Web Authentication) published by(W3C).
WebAuthn is a core component of the FIDO2 Project
under the guidance of the FIDO Alliance.

26. The Result
• An easy to use MFA solution which has all
but eliminated employee account phishing
attacks at Google.
• A standardised MFA solution across the
web
• More to come…. (delegated recovery)

27. Other Interesting Solutions In Progress
• OWASP - Software Component Verification
Standard (SCVS)
• NIST - SCAP 2.0
• ISO - SW-ID Tags
• IETF - SACM

28. Final Thoughts
• It’s important to understand root cause of security
problems (and not current solutions).
• Investigate new paradigms & approaches (take
inspiration from the wider technology industry).
• All these challenges are eco-system wide and will
require multi stakeholder collaboration.

29. Q&A