20070506

Do We Really Need a Security Industry

Link

When somebody posts something critical of what I've written, I'm careful to go back and read my own words. And I frequently find that I'm flat out wrong. And in other cases, such as this one, I write before I think (similar to implementing before you engineer) which ends in me looking very unprofessional.

RSnake was (rightly) defending himself after I made a flippant remark about his warming up in one circumstance to WAF's. And my remark neither fully explained RSnake's decision, nor gave a complete picture of the depth of the decision in one circumstance. RSnake gave a great deal of thought to how WAF's can be beneficial, and certainly did not say they were some sort of a silver bullet solution to all security failures.

Here's my take on WAF's. Like RSnake said about Schneier, I wish it were a perfect world. I wish programmers didn't make mistakes. Even earlier, I wish software engineers thought more like civil engineers. I wish the really poorly-conceived models we have, and poorly-coded applications we have, and all the insecure frameworks we have could just be chucked and re-conceived, re-coded, and re-engineered. But as has been pointed out to me many times, I have my head in the clouds, and not grounded in reality.

That being said, if you are able to go back to square one on an application, or if you're in the infancy of engineering something, it is far more effective and cost-effective to design things right the first time. If you have a real need for WAF's in the future, then you need to go back and look at your processes to see how you can do things better on the next iteration. WAF's are great as a safety net, but will never help your programmers and engineers do their job better, but they may have the adverse effect - by covering up for flaws made by programmers, they may train the programmers to not do the right thing and to completely rely upon the WAF (or the hacking team, or the security scanner) to catch their failures.

WAF's can be fantastic in those circumstances like RSnake spoke about - where re-engineering is a complete non-option, or when the application is never going through other iterations and will soon be retired. And I'm not even supposing that you shouldn't always use them - but when starting from scratch, never rely on them to provide security you should have baked in yourself. WAF's don't know your application the way you do, and in order to make them know the application the way you do requires you to write logic into the WAF that you simply should have written into the application.

Now, as far as RSnake is concerned, I value his opinion more highly than my own. He's the one who's been in (and out) of the industry far longer than I have. He's the one who's asked to give lots and lots and lots of presentations, not me. The masses respect is opinion much further than mine (and for once, in this case, I think the masses are right). I ground almost everything I write in the philosophy of how you should write things if you're writing them new. RSnake is firmly grounded in reality. If he says something is busted, you'd better read what it is, and figure out if yours is too. If you're writing from scratch, or doing a complete re-write, I highly encourage you to look here and see if there are good practices you can employ to make your application better from the beginning.

RSnake, my apologies for making such a statement without fleshing out the thought. In the event we ever get to meet up, I'll buy you a pop - but seeing as how you're in Texas now, it's all called Coke regardless of what brand or flavor it is. "You want a Coke?" "Sure!" "What kind?" "Sprite."

0 comments: