Perimeter
3/10/2011
09:48 AM
Commentary
Commentary
Commentary
50%
50%

How I've Become One With The Rest Of The World

I'm not quitting the security game, but I want to get experience outside of the choir

At DefCon last August, Dave Maynor and Dr. Paul Judge presented a talk on malware featuring a surprise guest, the Playmate of the Year. Afterward, a security expert went up to her and said, "There's an SQL injection on your website. I can own you."

Security professionals think this is normal behavior, even helpful. It's not. As Rob Graham said, "It's just as creepy as your neighbor warning you that he can climb a ladder and peek through the crack in your bedroom curtains."

We're like the creepy neighbors of the IT industry. For all we try to help, they can't get past why we're holding binoculars.

In the past, Errata has worked with developers on security assessments of their applications. We've seen firsthand the resistance to our "extreme views." The problem has a lot to do with information asymmetry and managing expectations, but sometimes it's just being creepy. The security expert is the one who reads their emails, knows their passwords, and tells their bosses they're failing. Wearing the mantle of the security expert has made our jobs harder, and our advice falls on deaf ears. In some occasions, the consultation ends with the security expert being escorted off the premises before the test is even completed.

And why shouldn't they? We're "Breakers." We not only tell them we can see in their windows, we go sit on their beds. Anything to get the message through to them. "There are evil-doers out there, and they will use your code to cause you pain." In doing so we put ourselves at odds with the "builders."

Meanwhile, we're seeing positive response to solutions to security problems built by the developers themselves without the heavy hand of the security expert. Ruby on Rails developers are making the inclusion of encryption and authentication as easy as plugging in a gem. Builders are creating their own seamless solutions to security problems on their terms.

Obviously this is progress, but not the entire solution. Security professionals need to support and encourage this kind of development while at the same time do the research and make tools to help the seamless integration of security into the development process. I'd like to be a part of this support.

The first step is admitting my own creepiness and to try harder to know what it's like to be on the receiving end of all of this helpful advice. I'm not quitting the security game, but I want to get experience outside of the choir. I want to be a builder and, yes, even a "fixer".

I've begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside.

The creepy neighbor who says he can see in your window might get you to change your curtains, but he'll have a restraining order before he ever has a chance to tell you about your open screen door. We have two choices if we want to be heard: We can either become the police officers patrolling the neighborhood, or we can become the trusted friend who stops by for tea. Remembering to be less creepy allows us to get more done.

Marisa Fagan is security project manager at Errata Security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.