Perimeter
3/10/2011
09:48 AM
Commentary
Commentary
Commentary
50%
50%

How I've Become One With The Rest Of The World

I'm not quitting the security game, but I want to get experience outside of the choir

At DefCon last August, Dave Maynor and Dr. Paul Judge presented a talk on malware featuring a surprise guest, the Playmate of the Year. Afterward, a security expert went up to her and said, "There's an SQL injection on your website. I can own you."

Security professionals think this is normal behavior, even helpful. It's not. As Rob Graham said, "It's just as creepy as your neighbor warning you that he can climb a ladder and peek through the crack in your bedroom curtains."

We're like the creepy neighbors of the IT industry. For all we try to help, they can't get past why we're holding binoculars.

In the past, Errata has worked with developers on security assessments of their applications. We've seen firsthand the resistance to our "extreme views." The problem has a lot to do with information asymmetry and managing expectations, but sometimes it's just being creepy. The security expert is the one who reads their emails, knows their passwords, and tells their bosses they're failing. Wearing the mantle of the security expert has made our jobs harder, and our advice falls on deaf ears. In some occasions, the consultation ends with the security expert being escorted off the premises before the test is even completed.

And why shouldn't they? We're "Breakers." We not only tell them we can see in their windows, we go sit on their beds. Anything to get the message through to them. "There are evil-doers out there, and they will use your code to cause you pain." In doing so we put ourselves at odds with the "builders."

Meanwhile, we're seeing positive response to solutions to security problems built by the developers themselves without the heavy hand of the security expert. Ruby on Rails developers are making the inclusion of encryption and authentication as easy as plugging in a gem. Builders are creating their own seamless solutions to security problems on their terms.

Obviously this is progress, but not the entire solution. Security professionals need to support and encourage this kind of development while at the same time do the research and make tools to help the seamless integration of security into the development process. I'd like to be a part of this support.

The first step is admitting my own creepiness and to try harder to know what it's like to be on the receiving end of all of this helpful advice. I'm not quitting the security game, but I want to get experience outside of the choir. I want to be a builder and, yes, even a "fixer".

I've begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside.

The creepy neighbor who says he can see in your window might get you to change your curtains, but he'll have a restraining order before he ever has a chance to tell you about your open screen door. We have two choices if we want to be heard: We can either become the police officers patrolling the neighborhood, or we can become the trusted friend who stops by for tea. Remembering to be less creepy allows us to get more done.

Marisa Fagan is security project manager at Errata Security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.