Re: informIT: Building versus Breaking

["Kevin W. Wall" <kevin.w.wall () gmail com>]

On Wed, Aug 31, 2011 at 10:16 AM, Gary McGraw <gem () cigital com> wrote:
> hi sc-l,
>
> I went to Blackhat for the first time ever this year (even though I am
> basically allergic to Las Vegas), and it got me started thinking about
> building things properly versus breaking things in our field.  Blackhat
> was mostly about breaking stuff of course.  I am not opposed to breaking
> stuff (see "Exploiting Software" from 2004), but I am worried about an
> overemphasis on breaking stuff.
>
> After a quick and dirty blog entry on the subject 
> <http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, I sat down 
> and wrote a better article about it:
>
> Software [In]security: Balancing All the Breaking with some Building
> http://www.informit.com/articles/article.aspx?p=1750195

Hi Gary... I read through both your blog entry and article and pretty
much agree with you.

At a presentation I gave at a recent local OWASP chapter, I asked
for a show of hands of those considering themselves builders vs.
breakers vs. policy wonks. Only one person raised his hand admitting
to be a policy wonk. Of the remaining, I'd say there was at least
a 3:2 majority of breakers vs. builders. And when the emcee of the
presentations asked how many people considered themselves software
developers, only about 5 of us out of maybe 35-40 put their hands
up.

I think there are a few reasons for this. For one, as you write,
it is considered "sexier". When was the last time you saw something
in the press about someone for building more secure software. Not
often. Aside from the Silver Bullet interviews and Jim Manico's
OWASP Podcasts, I can't say I recall even one.

You also state that it's easier to become famous. Again, the popular
press comes into play there. To them, someone breaking into a system
is news, but reporting on someone building secure software would be,
well, like having a 6:00 news reporting stating that "Since yesterday,
4500 planes landed safely at O'Hara." Yawn!

But I also think there's another reason there are more breakers than
builders in software security. The main reason is that I think its
much harder to build secure software than it is to break it. It takes
more training, it takes more time, and IMHO, it takes more skills,
not the least being able to communicate clearly with other development
teams.

> I've also had a chat with Adam Shostack (a member of the newly formed
> Blackhat Advisors) about the possibility of adding some building
> content to Blackhat.  Go Adam!
>
> Do you agree that Blackhat could do with some building content??

Unfortunately I don't get around to conferences much. The last one
I attended was a USENIX conference in 1989. :( Although I will be
making an appearance at AppSec USA this year. :)  However, I do
think a balance is needed. And for the record, there are secure
programming contests out there. E.g., SANS recently ran one in
in Java and .NET. (I did not have time, so no, I did not enter.)

I think that the best background for someone trying to enter software
security (aka, "application security" by some) is first learn good
development skills and THEN to learn how to break software. I think
SW development skills take awhile to foster (I'd give it a minimum
of 5 years) and the knowledge in the field of SW development
changes a lot faster than does the skills / knowledge needed
to pen testing. Plus if you don't experience SW development first-hand
(i.e., in the trenches), you will never know all the pain-points
experienced by developers and more importantly, you likely won't
be accepted by that community and earn their respect. (And please
note, when I mention SW development skills I am referring to a LOT
more than writing code.)

Anyway, I think your articles were spot on. My only point of disagreement
was the unnecessary confusion of over hat color. Yes, it segued nicely
with the BlackHat conference, but otherwise I think it missed the mark.
As Sergio Alvarez already remarked, hat color doesn't imply that
white hats are builders and black hats are all breakers. (If that were
the case, we'd really be doomed.)

But otherwise, two thumbs up. (Or should I step into the modern
era and write '+1'?)

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________