Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

A Secure Mentality

My employer recently completed the final audit to confirm ISO 17799 compliance, the process was a real eye opener. In a process that should have been fairly short & painless, the ordeal lasted close to a year, with me joining the company just before the second, and largest audit. That made my first few weeks rather interesting, to say the least.

While 17799 does have some complex requirements, most of the issues found had more to do with the overall mentality than with the true technical issues involved. The mentality at work tends to be to not seek what’s secure, but to find what works, and what’s fast – regardless of its impact. Without always being aware of the security issues involved, it’s easy to introduce significant vulnerabilities into a system.

There are three primary groups of thought when it comes to security:

  1. Those that don’t know or care.
    In the business world, these are by far the most common users, they don’t understand the implications and they typically want to keep it that way. These users introduce an amazing number of issues into a system.

  2. Those that know, but don’t care enough to do things right.
    These are less common, though they pose an equal, if not greater risk. When the pressure to have tasks done in an extremely short time is high enough, security shortcuts are often the result. While it typically doesn’t add significantly to time-lines, there is a time cost to ensuring that proper processes are followed.

  3. Those that put security first.
    This is the smallest group, though when equipped with the proper authority, can have the greatest impact. These rare people who both understand and care tend to carry the burden for the ignorance and laziness of the other major groups. It is their duty to see that data is secure, and systems are well protected against possible attacks.

Keeping a constant eye on security is critical, especially for developers – as our work can have an impact on such a large number of end users. Many developers tend to under-appreciate the impact they can have, both for the good their work does, and the harm their mistakes can cause. Finding a clear understanding of the implications of a decision is vitally important.

Even if you think something may not raise a security issue, take the time to evaluate the possibilities. Its well worth the time, trust me, I know this. A single error on my part as to how the application needed to secure its data led to a public announcement of the issue to the famous BugTraq mailing list. A simple mistake, with a definite impact on how I view potential security issues.

Thankfully that issue was small enough that it didn’t cause any real harm, but it certainly taught me a lesson. In that decision, I didn’t consider the possible implications, it led to what I consider a rather public embarrassment.

Next time you work on a feature that could be abused in any way, take a few minutes to think about ways to make it safer and more secure. You’ll thank yourself later.

Adam Caudill

Related Posts

  • Trojan Source and Why It Matters

    Yesterday the news hit of a new vulnerability that threatens the security of all code; dubbed Trojan Source by the researchers from the University of Cambridge. From an initial analysis, it does seem to impact just about everything, and the status of fixes is very hit or miss at this point. But the real question is, does this even matter? Is this issue worth spending your time on? Let’s look closer.

  • On Software Subscriptions

    Like many in this field, I am always looking for ways to improve my workflow, improve my productivity, achieve more. Part of this is evaluating new tools that help me get work done, tools that become critical to my process. While looking at something that could be useful, I had a startling realization — but there are a couple of things I’d like to cover first. Supporting What You Love I always try to pay for things that make my life better and support businesses that give me real value.

  • Utilitarian Nightmare: Offensive Security Tools

    Or: Ethical Decision Making for Security Researchers. There has been much discussion recently on the appropriateness of releasing offensive security tools to the world – while this storm has largely come and gone on Twitter, it’s something I still find myself thinking about. It boils down to a simple question, is it ethical to release tools that make it easy for attackers to leverage vulnerabilities that they wouldn’t otherwise be able to?

  • Looking for value in EV Certificates

    When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money? To answer this, we need to understand what the differences are just what you are getting for your money. The Three Options For many, the choice of certificate type has more to do with price than type – and for that matter, not that many people even understand that there are real differences in the types of certificates that a certificate authority (CA) can issue.

  • Jumping through hoops…

    There are two ways to implement security: Real security, based on empirical evidence and analysis. Checklist security, based on the latest checklist somebody says is important. When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information. On the other hand there’s security by checklist.