Words to the Wise
Nov 13, 2009 Opinion
Recently Dave from the DailyDave security mailing list said something very insightful that I wanted to re-post here:
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. “What is it exactly that you’re going to tell us?”We always answer this the same way: “Things that will surprise you.”
Most developers have read a lot about security these days – they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own cryptographics, and all sorts of other security truisms.What they can’t possibly understand is how a hacker’s mind works, and
what they’re likely to find. Even security specialists who have only
worked defence often have never really seen a hacker go.Largely I think this is because there’s a difference between someone
playing cards with chips and someone with their house and life on the
line. People say penetration testing is a model of an attacker. But how
do you model obsession?- -dave
I totally agree. We can use the same tools, adopt the same techniques, but the mind of an intruder may be so completely alien to any defender that the yawning gulf of difference in mindsets that separates us prevents comprehension and hinders our efforts to combat them.
