20070626

The Future of Ethical Hacking

I often come across as uber-idealistic, sounding like problems can magically solve themselves in earlier phases of the lifecycle, touting training as the first step to getting problems fixed. I've also probably come across sounding like there's no need for anybody in the development team to think about security per se, because what ends up being exploitable started out as either a semantic flaw (read: typo), or a logical flaw (read: forgetful engineering). I emphasize these (sometimes to a fault) because the earlier things are fixed, the less expensive they are to fix.

One might think that a by-product of better coding, source code reviews and scanning early and often, and security engineers being involved during product engineering would somehow lead to a lack of importance of ethical hackers. Indeed, I've often stated that the Secret Service, when being trained to identify counterfeit money, look at zero counterfeit bills (I've not found anything to substantiate this, but the Secret Service site that tells US Citizens how to identify counterfeit currency has much more information on the real artifact than the fake). However, even in a perfect world, white-room development lifecycle with security testing, real engineering processes, and well-trained coders, I think ethical hacking would still be a critical component, albeit in a somewhat different role.

I've talked about semantic flaws, and logical flaws, but never really addressed something that looks more like design exposures. These are the problems that are inherent to the design, but they actually look like design features. For example, a car that is designed to go 300km/h and from 0 to 100km/h in 4 seconds, when put in the hands of an inexperienced driver, causes a degree of exposure to the driver and those around him. While I have much more confidence in PayPal than with a mom-and-pop location keeping my financial information (or many of them), a site retains your financial information for extended periods of time is some sort of exposure.

So what do design exposures have to do with ethical hacking? I think really good ethical hackers, to be employable long-term, need to be able to engineer ways to exploit those design exposures, or better yet, combinations of them. An ethical hacker, in the future, will be the person who can say that even if your site has zero of the OWASP Top 10 (probably meaning the site is non-functional by today's standards), that there are features there that when used in concert with other sites, other features in the same site, or certain timing of circumstances, can lead to really serious problems.

Fortunately, right now, there's no need for all the ethical hackers to forget everything they know about injection attacks. There are plenty of those yet to fix. And because there are still plenty of those to fix (and because users still click links in emails), the attackers haven't been forced to become more sophisticated in their attacks.

0 comments: