| 4 min read
Being secure and being transparent are commonly seen as opposite concepts. There are practices like security through obscurity that promote the lack of information as a way to protect systems. If attackers don't know or understand your software system, they cannot exploit its security vulnerabilities. Therefore, details such as source code, architecture, and inter-process communication are kept secret by many organizations with the intention of protecting their users and their data.
However, authoritative bodies such as NIST (National Institute of Standards and Technology) and CWE (Common Weakness Enumeration) identify "Reliance on security through obscurity" as a significant weakness. Techniques such as black-box hacking, reverse engineering, or the abuse of information leaks allow the exploitation of systems hidden by obscurity, making it clear that this strategy is ineffective and only provides a false sense of security.
If obscurity is not a solution, then transparency is? I think that responsible transparency brings more security advantages than expected, so let's talk about it:
The reasons behind security
Security is not only about protecting user data or business differentiators. It is also about preserving the trust users have in your system. Trust is the most important and invaluable asset that a company can have and the most difficult to regain once lost. Confidence, itself, could be a business differentiator.
Think about the applications you use daily and list how many of them you prefer because you trust them. For instance, your favorite transportation app, which you chose over cheaper options; your favorite messaging app, which you preferred over some with more features; your banking app; your homestay app, etc. When applications build trust, they receive users who consolidate their use and tell other users about their pleasant experience with them.
Organizations like Uber and Airbnb understand the importance of trust and actively invest in it. In their apps, they offer user-centric content, provide beautiful interfaces, and add social features (e.g., sharing information about trips or homestay locations, voting in rating systems, etc.) to build trust from the enjoyable experience.
Ultimately, strategies to attract or retain users based on experience depend heavily on understanding the cons of other solutions in the market. What could companies do to use users’ trust as a differentiator?
Transparency effect
While we know that openness is a key factor in building trust between humans, it also serves to build trust between humans and systems. Think for a moment about how highly mature big tech companies like Google, Meta, Amazon, or Microsoft are providing a lot of information about their infrastructure, practices, and security strategies without apparent profit motive.
AWS, for example, invites companies with good cloud practices to share information about their infrastructure and how they solve the problems they face. What's more, AWS itself shares how it built its services to guarantee security and reliability for all its users.
Meanwhile, Microsoft maintains excellent documentation, which includes rationales and explanations for its technical decisions, thus providing knowledge and earning users' trust. Security practices are also material that can be in-app documented and shared with the public, as WhatsApp, for instance, does with its end-to-end encryption.
On the other hand, Meta has a good example of a status page where people can be aware of affected services across apps (e.g., Instagram, Facebook, WhatsApp Business API, etc.). This page informs users about minor and major disruptions and the work in progress to fix them. Additionally, status pages can include metrics and regional filters, as is the case with AWS status page.
Users have a positive impression and a sense of security when companies are transparent. Even they may end up defending wholeheartedly companies that have earned their trust. Companies are, at the end of the day, social agents that strengthen relationships with their customers.
Transparency as a culture
Even if a company implements transparency practices such as those described above, trust is built both externally with the users and internally with the team. In an organization, openness transforms the psychological safety, conversations and feedback to be received. Openness in the business culture grants the appropriate conditions to grow and learn a lot in better, in worse, in sickness, in health…
Teams turn into communities where solving problems is a group challenge rather than individual work motivated merely by the desire for personal achievement or the fear of being fired. Collaborative teams are born of transparent organizations.
I'm still very fascinated by the biggest GitLab outage, but mostly by the team's response. A developer accidentally deleted the production database along with its primary backup. GitLab engineers explained the situation and began a live stream to document their efforts in fixing the issue. It's a very stressful situation, but GitLab is an open-source project, and each contributor has a strong commitment to transparency and open knowledge. So, they chose to share their outage publicly as a damage control strategy.
GitLab is still one of the most widely used hosts for storing code after that failure. They taught all of us to use transparency to mitigate potential bad impressions on users. Undoubtedly, group effort and openness in resolving an incident protect and maintain users' confidence in products and services.
Conclusions
Among the many ways to enhance security and build trust, adopting a well-executed transparency strategy can provide significant benefits to your business. It's not just about being open source or sharing knowledge freely; it's also about understanding that trust is earned and maintained by being as transparent as necessary with both your users and your team to foster growth.
Security through transparency is a viable strategy that businesses should consider to strengthen their market position. Being open and sharing knowledge is always worth it. That's why at Fluid Attacks, we don't just talk about transparency, we embody it.
Share
Recommended blog posts
You might be interested in the following related posts.
