Bad Security?
I had a pleasure to attend a seminar at my company on IT security. The theme for this session was among other things, application security. Now I was hopeful as the presenter was from an IT security company and the agenda looked interesting (DoS, XSS, SDLC…). Maybe I could learn something practical on these topics I’ve heard so much about? I do after all have to manage couple of projects with involve a bit of web application development.
Okay, I was impressed at first. The introduction ot the presentation was smooth and the slides were above average. Some little mistakes here and there, but I let them slip. But then, little by little, I started to notice disturing trends. For example, this guy constantly belittled free/open software. It was like in his mind it was impossible that free or open software could be better than commercial software. At one point he wondered how in one regard there even is a “freeware” software that does some things better than Microsoft IIS. Every time he mentioned that something was not from a commercial origins, but either a free or volunteer effort, he had to mention that despite this obvious shortcoming, this or that was still “pretty good”. I don’t know, maybe he was molested as a child by a chubby penguin or something, but I was amazed by this ignorance.
We went through the most common web application attacks and ways to mitigate them. When we got to buffer overflow, he was baffled, because he couldn’t understand how something as simple as buffer overflow is so common in many applications. In the history according to him, the roots to this problem were in the history of “unix” and C where it was OK if programs crashed. And how to solve this problem? Do not accept long strings. He had also noted from his own experience that buffer overflows and memory leaks were more common in Windows environment than in Unix environment, but he wasn’t sure why this was the case, it probably had something to do with coding styles or something. Also, his solutions to most of the security problems seemed to be adding some new technology. And in any case, we don’t even develop that much of our own tailored apps and it’s not like you can modify off-the-shelf software or their coding practices that much.
And so we went on with injections attacks and string formatting – do not allow strange characters. At this point I was also shown our company security principles, which stated that all applications must validate input and they must strip all strange characters, including “,”, “‘”, “+”, “%”, “@”, “&” and friends. Apparently many programs, like Excel, Word and Outlook are exempt of this rule as using these programs would be rather difficult if these programs didn’t accept some of these characters. He applauded our work on this and didn’t “on the surface” see any problems in it. Okay, maybe I’m nit-picking here, but the overall presentation was just horrible. I know I’m not expert on security issues, but I have read my share of Schneier and written a bit of PHP and Ruby.
I also learned that the term “hacker” originates from a time when computer resources were scarce and “hackers” were the guys who tried to get more of these resources by abusing systems. I believe the correct term would be “phreaker” and yes, I’m aware that much of the hacker subculture originates from them. And yes, throughout his presentation, he mostly used the term in negative way, so it is totally possible he used it as a umbrella term for all kinds of people who abuse the functionality of systems.
Now, the audience was IT managers and people who probably before this seminar didn’t know what session hijacking is or SQL injection was, but explaining these wrong, even if these guys don’t even need to know what they are anyway, was still quite amazing. I’m talking about a partner of a IT security consultancy here. Now, to be fair, he knew the basics, like the difference between identification, authentication and authorization which he constantly pointed out, and as he pointed out, he wasn’t a “technical person”, but hey, why are you giving this presentation?
Suffice to say, I left the seminar early.
Do you, the readers of this fine blog, have any experience with security experts who aren’t? As far as I know, this guy was from a reputable company and their services are most likely good and rest of their staff knowledgeable, so I’m not going to name and shame them. Have you noticed general tendency that in business world, FOSS is seen inferior to commercial software just because they’re free?
Kari is an IT project manager at an utility company and when not managing the ensuing chaos or not misspelling Bruche Schneier’s name, enjoys watching The Amazing Race and is determined to go to Australia and see a wombat crossing sign with his own eyes.
Related posts:
Hey Kari,
Thank you very much for sharing this experience with us.
I have no experience with IT security people who don’t know what they’re talking about.
One thing that’s sure: I understand why security consultants like open source software better. And I agree with them. When it comes to security, it’s nice to know what the software does exactly. And the only way to achieve this state of knowledge is through understanding the source code thoroughly.
It’s actually one of our arguments when selling CartoRéso, a soon-to-be open source software (probably).
You were anyways right to leave early: why would you waste your time with a guy telling nonsense boiling down to adding new technology to deal with security issues. Most of the time, security breaches come from human behavior. In security, communication between people is key. At least that’s my opinion…
Jeremy, I think you really got it. I too think that biggest threats in IT lie in users, not in technology. Technology and theory is easy, making it work not.
You’d make a better security consultan than this guy, too bad you won’t sell any “solutions” and make money telling your clients that they don’t need Yet Another Security Solution.