Wednesday, September 10, 2008

Curphey on Building vs. Breaking

True that

I have grown increasingly disillusioned with the information security industry and especially disillusioned with the application security industry (whatever that really is). Why? I will get onto the information security part where fluffy compliance and best practice culture seems to be gaining acceptance in future posts (probably after a few glasses of wine) but if we take the application security industry specifically then I personally find it is disappointing that after a decade of it being considered a discipline in it’s own right, it is still predominantly made up of breakers and not builders.

I, too, have had anxiety about much vuln work and that is why I'm not in the product/application security bidness anymore. And there is much in Linus's monkey comments that I found hard to disagree with. And bonus points for going after the OpenBSD crowd.

Finding your first vuln, crashing a PIX (or 7200 in IOS) is fun the first time, but bug hunting is ultimately a cheap thrill. And educating product teams to find their own bugs, change their processes, document and design products better is ultimately more rewarding.


Andre Gironda said...

I agree with everything in this post except the part about the OpenBSD crowd. I'd like anyone to point out somebody besides Theo who helps out (or has helped out in the past) OpenBSD that "needs going after". This common, often united, hatred for a large, wonderful open-source project is blasphemy. Special note here is that I don't use OpenBSD (mostly Linux or FreeBSD), but I wholeheartedly support them and have purchased CD's, posters, t-shirts, and have donated money to their project many times in the past (weird since I've never run it before).

What's funny/ironic about your comment most of all is that OpenBSD has been doing what you two are talking about for over 10 years. OVER TEN YEARS. They are the classic example of what needed to happen back then and what needs to happen now. If we could get everyone excited about secure code review and building/releasing secure open-source software that is of extremely high quality -- then that's exactly in the spirit of what Curphey and you are trying to say. It's all about creating culture around the right things.

We're facing an extremely detrimental future for our industries (both information and application security). Application security is driven by compliance; Compliance is driven by the fear and power of nation states and huge financial corporations. For anyone to be thinking about software vulnerability research instead of software weakness research is not just a waste of time, but it's misdirected and uneducated. We're in a lot of trouble if banks and nation states do get their way, and we're in a lot of trouble if they don't.

Offensive security research only benefits organized crime, nation states, terrorists, and banks (which all are really a blur if you think about it). Building security into software, especially free software -- and placing security at the same level of importance as quality and performance -- these efforts will benefit consumers, children, and everyone's rights to freedom and privacy.

As someone who has also crashed 7200's and IOS on a global level (way before what Michael Lynn made possible), I can certainly see the meaning behind what you say. It's like "application security enlightenment". The problem that I have is that stuff just tends to break easily around me. I'm good at breaking things. But I *like* building things. It's enjoyable, it's ethical (note that `Ethical Hacking' is an oxymoron), and you're right that it is certainly most rewarding.

Matt Franz said...


Thanks for the long response.

My OpenBSD comment was mostly a troll. Even though I like rattling the cages t I'm a big BSD advocate!

BTW I'm a firm believer in irony. I had that thought after I posted it.

- mdf