Sticking your neck out

For as long as I can remember, the standard “security” talk is a negative and destructive talk, where the presenter presents their latest “research” as if it’s going to solve world hunger, totally end the Internet as we know it, cure herpes, or put the spooks out of business as anyone could spy on the whole Internet.

The reality is that a few hours, weeks, or if it’s someone like Oracle circa 2005, years later, the problem is solved and we go back to giving our identities away for free on Facebook as if nothing had happened.

Seriously, why do we put up with this?

I believe it is because negative Chicken Little (“the sky is falling”) talks are much easier to do:

  • Hand waving talks can be put together on the plane whilst going to the conference, or even later if you don’t hit the bar as soon as you get to the hotel. Talks of this type include “Why the IT Security industry sucks”, “This language is garbage”, “What you know is all wrong”, and my favorite, “PCI sucks”. These talks have zero merit because you can’t fix them. They’re opinion pieces barely better than a script kiddy blog entry, and are typically badly researched opinions rather than game changers.
  • The buffer overflow, CSRF, Ajax, RIA, XSS, SQL injection, or latest attack with a twist talks are easy to do. You might need to start working on these talks at the airport lounge, but you’ll still pump out a talk. Patches for these talks are sometimes delivered before the talk has finished. The world has not ended.
  • The fuzzing talk is is a bit harder. You have to run the fuzzer and let it find at least one badness. Probably a good idea to do it the night before you fly. Better yet, run it against a bunch of products in case someone did a good job.
  • Developing new devastating attacks that can be blocked by CS101-level controls, like the magic pixie dust of input validation. What a complete WAFTAM.
  • The pinnacle of negative talks has awesome demos, but realistically still demonstrates a paucity of ideas (such as how to detect if you’re in a VM – I mean really, who cares?). I have respect for these researchers, and really wish they’d apply their talents to good quality positive research instead of wasting their most productive research years on pointless baubles.

Why are positive talks harder? Because you have to work at them!

  • Firstly, it’s about research, and original research is hard to do properly.
  • Research takes time, and consistent application to an idea that may not even pan out. But if you don’t do it, you’ll never know.
  • You have to find an area that is not yet solved. There’s a reason it’s not solved yet. These issues have made talented brains hurt already.
  • You have to think of a new and novel solution to the issue, and the solution should be effective, simple and cheap. Most of the speakers on the party circuit simply don’t have this capacity, and haven’t had an original idea in years.
  • You have to develop your solution and test it out against lab and real world scenarios to make sure it doesn’t suck. It helps if your solution is repeatable, your solution and code is documented, and its useable by others without sacrificing chickens.
  • Many folks write papers and talks as if they succeeded at first go. That’s not science, that’s puffing up Brand Speaker. We learn from the paths not taken more than the eventual solution. Think about CSRF and session fixation for example – there’s heaps of folks who think CSRF is solved by a random nonce. But it’s not the entire story. Same deal with click jacking. Write up your failures as much you write up your successes.
  • You have to hand your research and methods around to trusted peers to see what they think and hope they don’t spill the beans or steal your thunder. Once you’ve published, you need to make sure others can repeat your experiments and results.
  • If you want to change the world, you have to give it away. You can’t patent it. You can’t tie it up in trade secrets. You can’t keep it to yourself. This is the hardest of all – think of the IT landscape today if AT&T had kept Unix to themselves. Exactly.

Lastly, and probably the most important – positive research and subsequent talks means sticking your neck out. Your peers evaluate what you’ve said and how your solutions work. If you’re not sure of self, this can be a huge risk to one’s ego. If you’re wrong, it’s real bad and you’ll be a virgin for another year. If you’re right, you will get {girls, boys, furries} and invites to all the sexy parties*

I will not claim that all of the hundreds of controls I documented in the OWASP Guide 2.0 are right. In fact, I know some of them are wrong. That’s how science works. At least I stuck my neck out and documented what I thought at the time. I’m happy to come back to the controls, do the research to find new controls that do work with minimal cost, and document those.

For those of you lucky to know me personally, you’ll know that I have no shortage of self, in fact probably enough self for two people, but you need it if you’re going to have a shot at this brave new world of repeatable, scientific progress in the web application security field.

I hope to see more conferences like OWASP’s AppSec Research conference, to be held in Sweden this year. Make sure you go to it. More importantly, stop wasting time on negative talks, and get moving on doing that research for next year’s conference.

* This is actually false advertising, as you’ll struggle to be invited to most conferences even though your research and talk will mean more long term than 100 negative talks. On the other hand, I’ve been told that Furries are easy to rub the right way.

Published by vanderaj

Just another security geek

Join the Conversation

4 Comments

  1. Hi Andrew,

    Good post. I concur wholeheartedly. I am a big believer in not providing criticism unless you have something positive to contribute and too often I see the “numerating badness” trend in talks. It would be nice to see more good ideas on how to make security “work” seemlessly. I’ve recently been thinking on ideas of my own research into risk management (I’m pissed at the just about all frameworks I’ve seen) and plan on testing a hypothesis of my own with the intention of presenting on it. I expect that once I present it, I will cop heat. But quite frankly, I don’t give a damn.

    Cheers

    – J.

  2. I often have private whine sessions about what sometimes passes for “research” these days, and often take umbrage to the use of the term “researcher” in our circles, and while i agree with some of the points in this post, i think it makes some huge leaps (and some serious mistakes).

    a) If a talk is about breaking and “Patches for these talks are sometimes delivered before the talk has finished”, then there is no value in the talk.

    The end-user is now safer, and a bunch of people have gotten pointers to how to spot mistake-X in their code, along with (possibly) a practical demonstration of its effects. (Someone gets to convince his manager that its worth hunting down this bug-class..)

    I dont think the speaker deserves the same acclaim as the guy that invented stackguard… but i also dont think its such a useless result?

    b) “how to detect if you’re in a VM – I mean really, who cares?”
    Really? I’ll ignore the reasons why this detection _is_ important, but will focus instead on the strange double standard. Sometimes pieces of research like this show their real value later on. (like malware changing its behavior when it determines it is in a VM) or even directions not pondered yet. Surely this is almost the textbook definition of basic research?

    c) “really wish they’d apply their talents to good quality positive research instead of wasting their most productive research years on pointless baubles”
    I could link the “pointless baubles” again to the question of basic research, but instead ill point at the increasing number of researchers that can be found who turn to becoming solution builders after years in the “pointless bauble” trenches.

    d) “Research takes time, and consistent application to an idea that may not even pan out.”
    Agree.. but this is something that plagues both attack and defense focused work. You could spend a great deal of time chasing angles and attack avenues that dont bear fruit.

    Ultimately, i agree that some really poor research makes it to cons these days, but i think its a mistake to equate this to “positive talks always trump negative ones”.

    @haroonmeer

Leave a comment

Your email address will not be published. Required fields are marked *