Security's Everyman

Security's Everyman

Thursday, July 03, 2008

I don't think like that

One of the things that I've said for years is that people who write code think differently than the rest of the world, especially those of us who come from a networking background. The thinking differential within information technology gets even fuzzier. Network guys think differently than server guys who think differently than database guys who think differently than developers, who think differently than the security guys etc... In recent years it also expanded to include those of us who focus on policy and process and program development. Actually it seems that no one understands those of us who do this.

Years ago I realized that I am NOT a programmer. My mind just does not work like that. As time went on I came to the realization that more and more I think less technically and more strategically. So now more than ever I really don't think like a programmer. I'm still able to look at code and and make out (basically) what is going on. Just don't ask me to write the code. I promise you it won't get your desired results. Unless your desired result is to make me look very foolish.

I just read this from Errata Security where fellow Atlantan, Robert Graham, talks to us about how hackers think differently than your average coder. He makes so good points and reinforces the theory that when you have a Pen Test done or have a code review done you are often better off hiring a hacker. Maybe not a real black hat hacker but someone who thinks in the same way. Someone who thinks concretely instead of abstractly. If you talk to the guys who work for Errata, Secure Works, and lots of other security companies you will discover that the people that they hire are not your average Joe. (I hope I don't offend anyone reading this) :). These guys just think differently and that is their advantage.

When a coder writes code he writes it to accomplish a specific goal. When a hacker attacks code his goal is to make it do something that it wasn't intended to do. Robert does a good job of explaining the differences between those with a hacking mindset and those who are coders. I like this statement that Robert made,

The consequence of this is that coders rarely understand how their code actually works. This is why Java is so often unbearably slow - the coders don't understand what the software is really doing.

They understand how to make it do what they want but they don't understand how what they did can also be used against them later. They think about what they want it to do and don't go beyond that to think about what else it could do. The same problem exist in other areas of IT. Most network guys think about how to make a switch or router route and segment traffic in the most effective way. They don't think about how setting up this VLAN with a connection to that VLAN can reduce the security of each VLAN. They don't think about how putting a command in a router can allow a hacker to gain access to the router or to the network that it is sitting in front of. Firewalls are another area where someone who understands networking but doesn't think "security" can easily misconfigure. One wrong port opened can spell 'pwned' for your network.

So what's the answer? If you lead teams then encourage them to learn to think like a security pro or a hacker. Get them quality training, encourage them to read blogs and other writings by hackers. If you have the resources and time set up a "play" lab for them to hack on and learn on. You won't be able to teach everyone how to think like a hacker or even a good security pro, but if you can change the way they think even a little bit it can go along way in helping you to secure your environment.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.