Security: UR Doin It Rong

Wednesday, February 22, 2012

Wendy Nather


As I mentioned before, a lot of security work consists of telling people they're doing something wrong. 

There are all the "thou shalt nots" in security policies, there's the "scanning and scolding" of vulnerability assessment, and there's the "Ha! Got you!" inherent in penetration testing and exploit development.

In other words, it takes a lot of moxie (pun intended) to stand up to a security professional.

Rob Lewis, aka @Infosec_Tourist, made the comment yesterday:

You're right. Nobody says "we're screwed!" with as a sincere and calm demeanour as @451wendy.

Which I appreciate, but it's been bothering me lately that that's almost always how we discuss security.

In his preso at Security B-Sides London last year, David Rook (aka @securityninja) made a great point about application security:  if we taught driving the same way we taught secure development, we'd make a whole big list of different ways you could crash the car, but never actually tell the student how to drive safely.

A good number of talks at security conferences focus on what we (or other people) are Doing Wrong.  Very, very few are about how to do something right. 

Part of the reason for this, of course, is that practitioners are afraid to stand up in front of an audience and talk about how they're defending themselves, for fear that someone in the audience will take it as a challenge and de-cyber-pants them before they've even gotten to the Q&A session. 

(I've heard tell of presenters' laptops being hijacked in the middle of a presentation.)  I know a lot of practitioners are doing very cool things that their management would never let them say publicly.

But when we focus too much on what people are doing wrong, there's a danger of our talks turning into pompous lectures. "We need to do something different from what we're doing today."  Okay, but what, exactly?* 

This is why I admire those who are proposing alternative solutions, such as Moxie Marlinspike's Convergence. These folks might be right, or they might be wrong, but at least they're trying to make things better.

So, lest this turn too Gödel, Escher, Bach on us, I'll stop lecturing too, and talk about what I plan to do about it.  I'm going to do more talks about what I think works in security. 

I've done a few before on topics such as how to bootstrap an infosec program, what multi-contextual identity and access management looks like, and how to dicker on the contract with third party providers.  

I won't aspire to #sexydefense; I'll leave that to the ones who show up all the time on the Top Ten Infosecsiest lists.  But I'll encourage people to turn that frown upside down, and try not to bring up a problem without also proposing a solution.  

Maybe this way, we can get invited to a few more non-security parties instead of having to throw them all ourselves.

*No, the answer is NOT "use our product."  Thanks for playing, though.

Cross-posted from Idoneous Security

Possibly Related Articles:
Information Security
Best Practices Network Security Security Innovation Information Security Infosec Professional Conferences Policies and Procedures Wendy Nather
Post Rating I Like this!
Robb Reck Excellent post. Very well said.
John Readinger Very interesting and thought provoking. The irony of lamenting imperfections vs. hailing accomplishments. Unfortunately, it is inherently necessary in most situations.
Ian Tibble yes, i've also written a piece recently (Security De-engineering - CRC Press) on potential solutions but my ideas for a solution will upset a lot of folk in our beloved security industry. I think "These folks might be right, or they might be wrong, but at least they're trying to make things better." will go by the wayside and I will be branded a heretic and burned at the stake. Vendors will take a legal swipe at me also.
It's true, there is a lot of talk about what we're doing wrong, but it's really because we're not doing much right. Products are bad, skills are inappropriate, we made a fashion out of poor management we're highly limited in our capacity to do things right at this stage.
In order to solve the problems we have to realise what they are first...and I don't think we're even at that stage yet. Actually there are even some folk outside security who have half of the answer. Many folk in the industry have an intuition about what the answer is but admitting to the problem endangers their career. There are too many with a vested interest in keeping things just the way they are.
Going through this article just highlights some popular misconceptions though. "there's the "scanning and scolding" of vulnerability assessment", If there's any scolding (I don't see any to be frank - do security pros have any confidence in the output of their assessment efforts?) then it's highly inappropriate. Our assessment results are highly inaccurate, and we're limited in our capacity to improve the accuracy (see chapter 5 and 7 of my book). But at least I hope we can agree on the inaccurate part...seems not based on 12 years of trying to make this point.
"Ha! Got you!" inherent in penetration testing " ...there is none because of the way we deliver penetration tests. 90%+ of tests delivered won't even try any exploits...this is a long story (chapter 7).
Application security - the practical and business side mean we have to learn to live with vulnerability in this area for the time being...unless we have a budget for 2 months+ (team of 160 person days) of manual assessment for all of our more complex apps.
"someone in the audience will take it as a challenge and de-cyber-pants them before they've even gotten to the Q&A session." Fair point, i'm sure this is what pros are thinking, but hackers won't be in the audience unless it's a blackhat event (or such like). And most security pros do not speak at such events.
"I know a lot of practitioners are doing very cool things that their management would never let them say publicly." Yes this part I totally agree with. I can give a long list of examples.

But anyway we need to be thinking about these matters and thanks.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.