Secure Coding mailing list archives
Re: informIT: Building versus Breaking
From: "Kevin W. Wall" <kevin.w.wall () gmail com>
Date: Wed, 31 Aug 2011 22:43:57 -0400
On Wed, Aug 31, 2011 at 10:16 AM, Gary McGraw <gem () cigital com> wrote:
hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I am worried about an overemphasis on breaking stuff. After a quick and dirty blog entry on the subject <http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, I sat down and wrote a better article about it: Software [In]security: Balancing All the Breaking with some Building http://www.informit.com/articles/article.aspx?p=1750195
Hi Gary... I read through both your blog entry and article and pretty much agree with you. At a presentation I gave at a recent local OWASP chapter, I asked for a show of hands of those considering themselves builders vs. breakers vs. policy wonks. Only one person raised his hand admitting to be a policy wonk. Of the remaining, I'd say there was at least a 3:2 majority of breakers vs. builders. And when the emcee of the presentations asked how many people considered themselves software developers, only about 5 of us out of maybe 35-40 put their hands up. I think there are a few reasons for this. For one, as you write, it is considered "sexier". When was the last time you saw something in the press about someone for building more secure software. Not often. Aside from the Silver Bullet interviews and Jim Manico's OWASP Podcasts, I can't say I recall even one. You also state that it's easier to become famous. Again, the popular press comes into play there. To them, someone breaking into a system is news, but reporting on someone building secure software would be, well, like having a 6:00 news reporting stating that "Since yesterday, 4500 planes landed safely at O'Hara." Yawn! But I also think there's another reason there are more breakers than builders in software security. The main reason is that I think its much harder to build secure software than it is to break it. It takes more training, it takes more time, and IMHO, it takes more skills, not the least being able to communicate clearly with other development teams.
I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of adding some building content to Blackhat. Go Adam! Do you agree that Blackhat could do with some building content??
Unfortunately I don't get around to conferences much. The last one I attended was a USENIX conference in 1989. :( Although I will be making an appearance at AppSec USA this year. :) However, I do think a balance is needed. And for the record, there are secure programming contests out there. E.g., SANS recently ran one in in Java and .NET. (I did not have time, so no, I did not enter.) I think that the best background for someone trying to enter software security (aka, "application security" by some) is first learn good development skills and THEN to learn how to break software. I think SW development skills take awhile to foster (I'd give it a minimum of 5 years) and the knowledge in the field of SW development changes a lot faster than does the skills / knowledge needed to pen testing. Plus if you don't experience SW development first-hand (i.e., in the trenches), you will never know all the pain-points experienced by developers and more importantly, you likely won't be accepted by that community and earn their respect. (And please note, when I mention SW development skills I am referring to a LOT more than writing code.) Anyway, I think your articles were spot on. My only point of disagreement was the unnecessary confusion of over hat color. Yes, it segued nicely with the BlackHat conference, but otherwise I think it missed the mark. As Sergio Alvarez already remarked, hat color doesn't imply that white hats are builders and black hats are all breakers. (If that were the case, we'd really be doomed.) But otherwise, two thumbs up. (Or should I step into the modern era and write '+1'?) -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: informIT: Building versus Breaking, (continued)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 01)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- "Building" conferences (was: informIT: Building versus Breaking) Martin Gilje Jaatun (Sep 05)
- Re: "Building" conferences (was: informIT: Building versus Breaking) Gary McGraw (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 01)
- Re: informIT: Building versus Breaking Stephen Craig Evans (Sep 01)
- Re: informIT: Building versus Breaking Sergio 'shadown' Alvarez (Sep 01)
- Re: informIT: Building versus Breaking Tom Brennan (Sep 05)
- Re: informIT: Building versus Breaking iarce (Sep 05)
- Re: informIT: Building versus Breaking Stephen Craig Evans (Sep 05)
- Re: informIT: Building versus Breaking Goertzel, Karen [USA] (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)
- Re: informIT: Building versus Breaking Kevin W. Wall (Sep 05)
- Re: informIT: Building versus Breaking Chris Schmidt (Sep 05)