Getting out of the box : The problem of Babel


dmitryc on SecuriTeam Blogs has a really good article about how as security practitioners, we used to be in the free-thinking space, and have since become so structured in our thought that we've handcuffed ourselves.

I think of all the "new" type of attacks we've found and now applied names to - "XSS Fragmentation Injection", "Cross-Site Request Forgery". This isn't to ding on names, but it seems that if we find something "new", it's a race to categorize it because we've become so driven by metrics.

On the one hand, I agree - following a strict methodology handcuffs us and stifles creativity - particularly in assessments with ethical hacking engagements. The bad guys aren't restricted by a methodology - they're only restricted by their own imaginations.

But on the other hand, we have to be able to communicate our findings in such a way that the business is motivated to make a change. If we can't define the terms of an engagement, and can't document our findings in such a way that the recipient can search for those types of flaws and how to fix them, how do we plan to make a dent?

I think I probably missed the whole point of dmitryc's post - he probably means that we've all (necessarily) become so specialized in what we do - the IDS folks don't know what the firewall folks do. The ethical hackers don't know what the code reviewers do. Or we've become so focused on web hacking that we've lost skills in general network hacking, where a marriage of the two (years ago, they would've been one and the same - we didn't have to merge them together) is almost impossible.