Making Things Worse by Asking all the Wrong Questions

Monday, May 14, 2012

Rafal Los


Fair warning, after re-reading this post before hitting publish I do realize it gets a bit... rant-ish... but it's necessary, and I was due.

Missing Opportunities

If you missed THOTCON 0x3 and Chicago's Security BSides I will tell you, as will others, you missed a pair of events that were cross-sectional to how Information Security is evolving.  

The two conferences were back-to-back and mixed technical presentations with accessible speakers to try and continue to build a sense of community in sweet home, Chicago.

I can't say everything was roses and rainbows though, as a few of the discussions that were exhibited demonstrated just how poorly defined and understood the practice of information security really is.

A few interesting things stuck with me from the two days of meeting, sharing, and learning - but one in particular just lingers in the back of my mind because to me it illustrates how the InfoSecurity community does itself a disservice b distancing itself from the very business it serves.

Pitting business against 'security', builder versus breaker and asking some outright ridiculous questions meant that even mild-manners Wh1t3 Rabbit had to jump in and temper the discussion to the road of the audience...

First off, the builder vs. breaker and "us versus them" mentality is nonsense.

Perpetuating the thinking those who build software (or defend) are somehow at odds with those who break it (the hackers) is counter-productive in my humble, experience-based opinion.  A talk which asks the audience to jump into this discussion and thus continue the us vs. them and adds finger-pointing for security failures is irresponsible, and should never have happened.

I found it odd that at a hacker conference, clearly aimed at breakers/hackers, the moderator took a poll and asked who knows what OWASP is.  No more than 2-3 people raised their hand (including yours truly) which shouldn't have been a shock since we had next to no developers, or App Sec people there from what I could tell... again mostly infrastructure people.  Upon seeing such a low level of OWASP knowledge the moderator declared that OWASP was a failure and proceeded to ask who's fault it was.

Blaming the OWASP Foundation, then developers for not adopting secure coding options brought about by the OWASP projects is silly... ultimately until the business cares about security, and developers have an incentive to write more secure code, or even think about it remotely - even tools and simple to use, transparent technologies like that which OWASP provides won't get utilized.  

It doesn't take a rocket scientist to figure this out... how about a little less "who's fault is it?" and a little more "let's do something about it" for a change?

Ultimately, where I lost it was where the moderator started down a "value of a penetration test" rabbithole.  Asking whether penetration testing has value, and if since we acknowledge a penetration test is an incomplete sample if we would be better off just using scanners and spending the money on fixing... then finally asking whether it makes sense to spend money on penetration testing at all.  

Seeing the need to re-set the conversation I simply added to the moderator (without microphone in hand) that he was asking all the wrong questions... 

Moderator: "So what are the right questions?"

Me: "You should be asking people how they figure out what risk levels they're willing to accept and figure out how to get there."

Moderator: "What if I don't want any risk?"

Me: "They you have no idea what you're doing..."

[crowd cheers]

So here's what I don't get - after a few conversations with both the moderator and a couple of the attendees, it was pointed out that this was an attempt at hypberbole, and to generate audience-participation and dialogue.  Even so - I stand by the fact that this conversation asks the wrong questions and isn't productive in the context of 'making things better'...

Oh, and in case you missed it, there was yet another attempt to use FUD to prove how important security and brand reputation is... by trying to tell people who wouldn't otherwise know better that DigiNotar was "hacked out of business" which has been proven to be false.  Google it before you end up feeding eager minds false information, seriously.

(Note: it was pointed out I didn't make it clear enough that this was not brought up by the moderator, but rather a member of the audience.)

Anyway, didn't mean to turn this into a rant but it needed to be said.  There is so much junk out there that another forum which tries to artificially stir resentment and perpetuate an "us versus them" mentality between developers and hackers using false information just shouldn't be tolerated.  

Let's get to understanding our trade, understanding where our paycheck comes from (hint: it's not 'security' in most cases) and solving some problems... finger pointing is childish.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Security Training
Information Security
OWASP Application Security Development Secure Coding Standards Software Security Assurance Information Security Security BSides Conferences THOTCON
Post Rating I Like this!
Marc Quibell 'until developers have an incentive to write more secure code'? Really? Here's your incentive: Write secure code or you're fired or not going to be hired in this day and age. Whoever does NOT write some form of secure code, please find a new career.
James Richie Thanks a ton for your useful information.I have appreciated it.

painting contractors in west palm beach
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.