Secure Coding mailing list archives
Re: informIT: Building versus Breaking
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Wed, 31 Aug 2011 14:59:07 -0700
Not many builders go to BlackHat. BlackHat is by Breakers, for Defenders. It is primarily attended by Defenders, with a smaller pool of dedicated Breakers. It is very valuable to our industry to have conferences focused on Breaking. Though they do have Builder and Defender talks. Some of my first BlackHat talks were on a statistical B-A-D WAF a few of us built, though statistical behavioral anomaly detection is boring, so we'd drop a few zero-days on products in the talk to keep folks awake. If you want to reach Builders: there are already dev-focused conferences and communities for Builders. Jeremiah Grossman and I have made a point at going to developer-focused conferences around the world, and been well received. So, I suspect they'll allow other security folks in too. Michael Coates has an excellent blog post suggesting an organization for OWASP along the above lines - and appealing to all three groups - it would be interesting to see other security conferences explore this structure: http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html As for your concerns with over-emphasis on breaking.... Breaking is concrete, measurable, and actionable. There are many historical precedents for Breakers driving the innovations of Builders. For Example: The auto industry Builders learned substantively about safety from the Breakers. There are many lessons in the evolution of car safety features for us in how Breakers drive defense. From IR (cadaver research) to Black Box (crash testing) to SAST/DAST automation tools and test harnesses (Hybrid III and acceleration sleds) - the evolution of car safety was instrumentally fueled, if not driven, by the innovations of the Breakers. It makes sense that software security will benefit from many of the same analogues. So - it's no surprise there is so much emphasis on breaking! Finally - Breaking sells. It's really hard for Defenders to sell Building Secure to business owners without concrete measurements from Breakers. Basically, Breakers help Defenders get budget for things like Secure Builder research and programs. And Breakers provide measurement metrics on Builder progress. Let's face it - Breaking is far sexier than Building. When was the last time you saw an exciting presentation on -GS in Visual Studio? This may be why the SCL list is smaller than the dozens of other Breaker lists out there on the interwebs. Or it could be that the problem is so darn hard.... --- Arian Evans Builder and Breaker On Wed, Aug 31, 2011 at 7:16 AM, Gary McGraw <gem () cigital com> wrote:
hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I am worried about an overemphasis on breaking stuff. After a quick and dirty blog entry on the subject <http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, I sat down and wrote a better article about it: Software [In]security: Balancing All the Breaking with some Building http://www.informit.com/articles/article.aspx?p=1750195 I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of adding some building content to Blackhat. Go Adam! Do you agree that Blackhat could do with some building content?? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justoceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: informIT: Building versus Breaking, (continued)
- Re: informIT: Building versus Breaking Jeremy Epstein (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 01)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- "Building" conferences (was: informIT: Building versus Breaking) Martin Gilje Jaatun (Sep 05)
- Re: "Building" conferences (was: informIT: Building versus Breaking) Gary McGraw (Sep 05)
- Re: informIT: Building versus Breaking Stephen Craig Evans (Sep 01)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- Re: informIT: Building versus Breaking Tom Brennan (Sep 05)
- Re: informIT: Building versus Breaking iarce (Sep 05)
- Re: informIT: Building versus Breaking Stephen Craig Evans (Sep 05)
- Re: informIT: Building versus Breaking Goertzel, Karen [USA] (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)
- Re: informIT: Building versus Breaking Kevin W. Wall (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)