At DefCon last August, Dave Maynor and Dr. Paul Judge presented a talk on malware featuring a surprise guest, the Playmate of the Year. Afterward, a security expert went up to her and said, "There's an SQL injection on your website. I can own you."
Security professionals think this is normal behavior, even helpful. It's not. As Rob Graham said, "It's just as creepy as your neighbor warning you that he can climb a ladder and peek through the crack in your bedroom curtains."
We're like the creepy neighbors of the IT industry. For all we try to help, they can't get past why we're holding binoculars.
In the past, Errata has worked with developers on security assessments of their applications. We've seen firsthand the resistance to our "extreme views." The problem has a lot to do with information asymmetry and managing expectations, but sometimes it's just being creepy. The security expert is the one who reads their emails, knows their passwords, and tells their bosses they're failing. Wearing the mantle of the security expert has made our jobs harder, and our advice falls on deaf ears. In some occasions, the consultation ends with the security expert being escorted off the premises before the test is even completed.
And why shouldn't they? We're "Breakers." We not only tell them we can see in their windows, we go sit on their beds. Anything to get the message through to them. "There are evil-doers out there, and they will use your code to cause you pain." In doing so we put ourselves at odds with the "builders."
Meanwhile, we're seeing positive response to solutions to security problems built by the developers themselves without the heavy hand of the security expert. Ruby on Rails developers are making the inclusion of encryption and authentication as easy as plugging in a gem. Builders are creating their own seamless solutions to security problems on their terms.
Obviously this is progress, but not the entire solution. Security professionals need to support and encourage this kind of development while at the same time do the research and make tools to help the seamless integration of security into the development process. I'd like to be a part of this support.
The first step is admitting my own creepiness and to try harder to know what it's like to be on the receiving end of all of this helpful advice. I'm not quitting the security game, but I want to get experience outside of the choir. I want to be a builder and, yes, even a "fixer".
I've begun working on projects that lead developers by example to see security for what it is -- ruggedness -- and not an arsenal of pain. This means growing my development skills and practicing what I preach. Hopefully this way I can get to better know the development community and effect change from the inside.
The creepy neighbor who says he can see in your window might get you to change your curtains, but he'll have a restraining order before he ever has a chance to tell you about your open screen door. We have two choices if we want to be heard: We can either become the police officers patrolling the neighborhood, or we can become the trusted friend who stops by for tea. Remembering to be less creepy allows us to get more done.
Marisa Fagan is security project manager at Errata Security.