Perimeter
3/10/2011
09:48 AM
Commentary
Commentary
Commentary
50%
50%

How I've Become One With The Rest Of The World

I'm not quitting the security game, but I want to get experience outside of the choir

At DefCon last August, Dave Maynor and Dr. Paul Judge presented a talk on malware featuring a surprise guest, the Playmate of the Year. Afterward, a security expert went up to her and said, "There's an SQL injection on your website. I can own you."

Security professionals think this is normal behavior, even helpful. It's not. As Rob Graham said, "It's just as creepy as your neighbor warning you that he can climb a ladder and peek through the crack in your bedroom curtains."

We're like the creepy neighbors of the IT industry. For all we try to help, they can't get past why we're holding binoculars.

In the past, Errata has worked with developers on security assessments of their applications. We've seen firsthand the resistance to our "extreme views." The problem has a lot to do with information asymmetry and managing expectations, but sometimes it's just being creepy. The security expert is the one who reads their emails, knows their passwords, and tells their bosses they're failing. Wearing the mantle of the security expert has made our jobs harder, and our advice falls on deaf ears. In some occasions, the consultation ends with the security expert being escorted off the premises before the test is even completed.

And why shouldn't they? We're "Breakers." We not only tell them we can see in their windows, we go sit on their beds. Anything to get the message through to them. "There are evil-doers out there, and they will use your code to cause you pain." In doing so we put ourselves at odds with the "builders."

Meanwhile, we're seeing positive response to solutions to security problems built by the developers themselves without the heavy hand of the security expert. Ruby on Rails developers are making the inclusion of encryption and authentication as easy as plugging in a gem. Builders are creating their own seamless solutions to security problems on their terms.

Obviously this is progress, but not the entire solution. Security professionals need to support and encourage this kind of development while at the same time do the research and make tools to help the seamless integration of security into the development process. I'd like to be a part of this support.

The first step is admitting my own creepiness and to try harder to know what it's like to be on the receiving end of all of this helpful advice. I'm not quitting the security game, but I want to get experience outside of the choir. I want to be a builder and, yes, even a "fixer".

I've begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside.

The creepy neighbor who says he can see in your window might get you to change your curtains, but he'll have a restraining order before he ever has a chance to tell you about your open screen door. We have two choices if we want to be heard: We can either become the police officers patrolling the neighborhood, or we can become the trusted friend who stops by for tea. Remembering to be less creepy allows us to get more done.

Marisa Fagan is security project manager at Errata Security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.