security needs to change? wait…change what?

I’m still ornery today. I’m not sure what it is; I think it’s just this lingering tail end of a cold I’ve been stuck with for the last 2-3 weeks…
I’ve been sitting on this post from Dave Shackleford for a few days, letting it digest and ferment…errr I mean sink in and blossom. Dave talks about a few topics and I wanted to pull it apart like unwinding some Twizzlers. He talks about post-RSA thoughts, business alignment, change, worshipping exploit-finders, and the echo chamber.

As with the post I discussed yesterday, I just want to preface that I agree with Dave. This isn’t meant to be argumentative or critical; rather building and fleshing…

Post-RSA thoughts? I think it is fine to desire security companies who do have passion for their job, but yes, point taken that there are still plenty of companies who are only chasing profits. (As a corollary, how many security nuts want to go into sales? And thus, how many sales and marketing people are security nuts? Yeah, that’s the gap. It won’t change.)

Aligning with business. I don’t think when someone says that security needs to integrate with business that they’re meaning you need to figure out how *other* businesses work and accept that they’re in it to make money. Maybe that’s a given to me? Who knows, maybe there are still people who come into security all idealistic and think every vendor is out there to help them with their security and offer only solid, value-driven solutions. Well…it will only take them about a year to realize they’ve sometimes been sold lemons and sometimes they’ve been sold tools that can’t manage with their budgets.

Change. I agree. “Change what?” I’ll say that sometimes this is the right approach. If I’m not happy, the solution is two-pronged: change and to figure out what to change to make me happy. In the case for security, I don’t think we know the answer to either prong of that solution. We don’t know what to change and we don’t know what changes will improve anything. So why do we say change? Because we’re not perfect? Because we’re still behind the curve of security? I’d argue that’s exactly where we will always be by nature of the beast! Sometimes you’ll be unhappy if you’ve set unrealistic, maybe even impossible goals for yourself. In that case, you need to redefined your happy state. Or redefined what “security” means to you.

Worshipping exploit finders (aka the adversary motivation). This is complicated, and I both agree with Dave and think there is simply more to it. First, I think our focus on exploit-writers and breaking into things is deep-rooted, probably something to do with competition. This may be a people thing or even a national/socio-economic thing (capitalism==competition). Second, we’ll all become better defenders if we had more skill/knowledge as/of attackers. How best would person a secure their OS/apps? If they knew how to break them. Maybe not in a way you can do it while sitting in a club getting a blow, but at least know that it’s possible.

In the end, I do agree, however. For as much fun as it is to break things, we continue to need to focus on the fun of securing things and thwarting attackers. We need rockstar defenders as well as attackers. (At least there are many attackers breaking things for the greater good as white hats; we do still need that segment.)

Echo chamber (aka evangelize). This is a tough call. I agree we need to get out of our comfort level, but this is a bigger bill than one would expect. On one hand you can talk to technical people, but if you’re going to talk to them about security, you need to talk on their level and give them actionable information. Not just point at OWASP top 10 and hit the bullet points, but give examples of insecure coding and ways to actually do it. Otherwise you’re just a burden; another requirement-giver causing them more work and telling them their babies are ugly. You have to actually teach, which is still hard for many security persons to adequately do. On the other hand, you have a crowd of non-technical people who need to know why they should even bother; and they often need a heavy dose of FUD to get the point. But even here, expectations need to be tempered or we’ll always be an unfulfilled bunch. My age-old example of home security hits home here (huk huk!): it’s easy to scare people, people know they need to do it, yet so many homes are just waiting for theft/invasion. You’ll also need to be able to deftly, and understandably field dumb questions and deflect misguided assumptions while keeping mind that not everyone is as paranoid as a security geek and not everyone puts the same value on their personal information as a security geek does.

Biggest point: We security geeks rant and rave and we *need* to. We *need* to talk to each other to share ideas, but we also need to share our pains and stresses and cathartically release them together. And we *need* to keep talking to others outside those groups. This is where consultants really, really need to bring their game. Charlatans in it for the paycheck need not apply.

Last point: We’re often at the end of the stick, just like IT operations. We’re at the mercy of attackers, users, software, business, and vendors giving us crappy security products filled with half-false promises. Getting to the forefront of this probably means embracing risky, edgy concepts like “there is no perimeter” and doing things so dramatically different… Maybe. That’s just me high on tea this morning…