Secure Coding mailing list archives

Re: informIT: Building versus Breaking

From: "Sergio 'shadown' Alvarez" <shadown () gmail com>
Date: Wed, 31 Aug 2011 20:01:36 +0200

Hi gem,

I've read your article to see what direction you were willing to take, before jumping into the conversation. Your post
was exactly what I thought you were heading to.

I disagree with your thought for many reasons.

But first I would like to use proper terms so that we don't misuse some vocabulary:

You said: """Software security should be a balanced approach of offense and defense (white hat and black hat, if you
will)"""

Whitehat: reports what he/she has found. Network vulenerabilities, software security flaws, flawed crypto, design
flaws, or whatever it is that the individual found it was broken or wrong.

Blackhat: doesn't report what he/she found, because she/he want to keep it that way.

Of course there are a lot of grays out there too.

Defense is…well... defense.

To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a
huge amount of literature. There are very good books when it comes to secure software development.

Every year what is presented, in the best security conferences, are new techniques that developers need to be aware of
in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or
corner-cases which were not considered.

There are also a lot of tools and libraries which help development teams to do things right, specially libraries and
templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves.
They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a lot
of developers don't use what is available to them.

Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more talks
about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do any good to
Blackhat.

"""I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I am worried about an overemphasis on
breaking stuff."""

Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For
building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what
things might go wrong in order to protect better themselves. And even then many good talks overlap unfortunately.

Regards,
Sergio

On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote:

hi sc-l,

I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got 
me started thinking about building things properly versus breaking things in our field.  Blackhat was mostly about 
breaking stuff of course.  I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I am worried 
about an overemphasis on breaking stuff.

After a quick and dirty blog entry on the subject 
<http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, I sat down 
and wrote a better article about it:

Software [In]security: Balancing All the Breaking with some Building
http://www.informit.com/articles/article.aspx?p=1750195

I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of 
adding some building content to Blackhat.  Go Adam!

Do you agree that Blackhat could do with some building content??

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justoceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________



_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

informIT: Building versus Breaking Gary McGraw (Aug 31)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Aug 31)
  - Re: informIT: Building versus Breaking Steven M. Christey (Sep 01)
    - Re: informIT: Building versus Breaking Goertzel, Karen [USA] (Sep 01)
    - Re: informIT: Building versus Breaking James Walden (Sep 05)
    - Re: informIT: Building versus Breaking Jeffrey Walton (Sep 05)
    - Re: informIT: Building versus Breaking Jeremy Epstein (Sep 05)
  - Re: informIT: Building versus Breaking Chris Schmidt (Sep 01)
    - Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
    - "Building" conferences (was: informIT: Building versus Breaking) Martin Gilje Jaatun (Sep 05)
    - Re: "Building" conferences (was: informIT: Building versus Breaking) Gary McGraw (Sep 05)
  - Re: informIT: Building versus Breaking Stephen Craig Evans (Sep 01)

(Thread continues...)