Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/10/2011
09:48 AM
Commentary
Commentary
Commentary
50%
50%

How I've Become One With The Rest Of The World

I'm not quitting the security game, but I want to get experience outside of the choir

At DefCon last August, Dave Maynor and Dr. Paul Judge presented a talk on malware featuring a surprise guest, the Playmate of the Year. Afterward, a security expert went up to her and said, "There's an SQL injection on your website. I can own you."

Security professionals think this is normal behavior, even helpful. It's not. As Rob Graham said, "It's just as creepy as your neighbor warning you that he can climb a ladder and peek through the crack in your bedroom curtains."

We're like the creepy neighbors of the IT industry. For all we try to help, they can't get past why we're holding binoculars.

In the past, Errata has worked with developers on security assessments of their applications. We've seen firsthand the resistance to our "extreme views." The problem has a lot to do with information asymmetry and managing expectations, but sometimes it's just being creepy. The security expert is the one who reads their emails, knows their passwords, and tells their bosses they're failing. Wearing the mantle of the security expert has made our jobs harder, and our advice falls on deaf ears. In some occasions, the consultation ends with the security expert being escorted off the premises before the test is even completed.

And why shouldn't they? We're "Breakers." We not only tell them we can see in their windows, we go sit on their beds. Anything to get the message through to them. "There are evil-doers out there, and they will use your code to cause you pain." In doing so we put ourselves at odds with the "builders."

Meanwhile, we're seeing positive response to solutions to security problems built by the developers themselves without the heavy hand of the security expert. Ruby on Rails developers are making the inclusion of encryption and authentication as easy as plugging in a gem. Builders are creating their own seamless solutions to security problems on their terms.

Obviously this is progress, but not the entire solution. Security professionals need to support and encourage this kind of development while at the same time do the research and make tools to help the seamless integration of security into the development process. I'd like to be a part of this support.

The first step is admitting my own creepiness and to try harder to know what it's like to be on the receiving end of all of this helpful advice. I'm not quitting the security game, but I want to get experience outside of the choir. I want to be a builder and, yes, even a "fixer".

I've begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside.

The creepy neighbor who says he can see in your window might get you to change your curtains, but he'll have a restraining order before he ever has a chance to tell you about your open screen door. We have two choices if we want to be heard: We can either become the police officers patrolling the neighborhood, or we can become the trusted friend who stops by for tea. Remembering to be less creepy allows us to get more done.

Marisa Fagan is security project manager at Errata Security.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.