While I wait for some new hardware to arrive which will go towards creating some more interesting tutorials for you all I took some time to think a little about the reactions people in security often provoke from others. This week Oracles CSO in a now deleted blog post was quite vocal about how she was not at all impressed by security researchers who kept reporting bugs to Oracle and tried to reverse engineer its products to find vulnerabilities. This wouldn’t be the first time somebody has complained about security researchers and it certainly won’t be the last time.
Now step back and think why do people react to us like this, were just helping right? It’s not that simple. One of the things people like most about the security industry is that it’s so different from everything else for example in just this last month people have:
- Hacked and remotely controlled cars.
- Caught dangerous cybercriminals.
- Have let dangerous criminals slip through their fingers.
- Collectively improved our security posturing.
- Collectively degraded our security posturing.
- Found ways to rootkit CPU’s.
- Found 0 day vulnerabilities.
- Patched 0 day vulnerabilities.
- Announced the release of “security focused” Operating Systems.
What I'm trying to say is that this industry is so dynamic and diverse there’s something for everyone. Now back to why we cause controversy.
Security professionals always punch above their weight
People often assemble huge enterprises more often than not there are some serious security issues with some of these enterprises. Two kinds of Security people show up here. Usually the first one is an architect or some kind of SME who railroads your piece of work single handedly it doesn't matter if it cost you 0 dollars or 500 million to get that piece of work to where it is they will stop you. The second kind who usually comes afterwards, finds those issues and exploits them, this doesn't just bring the piece of work to its knee’s it brings down an entire organisation to its knee’s suddenly and abruptly.
They prod, poke and sometimes bite
A big part of the recent Oracle blog post was that the anger and frustration in the post wasn't sudden it had been built up over years. Security professionals won’t quit they are persistent and focused they will keep poking and prodding even biting until the issue is fixed. This creates a kind of harsh frustration and anger towards us but ultimately without the prodding and poking things often won’t get fixed. I’m happy to do things another way but a viable alternative hasn’t presented itself yet.
They are show you reality
Often in the world there are people who are not always aware of the actual state of things. Often security professionals are the first people to point this out and show you how things are. It’s not usually pretty either when you have imaged something more glamorous you are often angry at the person who took this away from you.
Sometimes they break more than they fix
A big part of a security research is finding interesting and clever way to break things a large proportion of the time we also fix things but it’s harder so not everybody tries to fix things. Hats off to everyone who tries to fix things this small but important contribution is what keeps pushing better security forward.
They issue demands
I haven’t come across many people who likes to have tough demands imposed on them, especially ones they can’t meet. It’s a no brainer as to why this doesn't go down well.
You don’t know them
Many security professionals don’t really share much with other people unless they know them at a deeper level. Usually it’s hard to like somebody you don’t know anything about, furthermore sometimes the nature of a security professional’s work requires them to remain unknown. It’s hard to like ghosts.
Lastly the good security professionals have skill some more than others but in the world skills are valuable these skills are especially valuable. Nobody has problems with us having skills but when you have a powerful skill and use it there is always somebody who will be upset or effected. Make sure that before using your skill it’s for the right reasons.
Don’t let the above dissuade you. What you bring to the table is valuable and necessary but if you became a security professional to have everybody like you, there’s probably an easier way to achieve that goal out there somewhere. If you became a security professional to change things, to up the stakes to try and make people do the right thing, welcome.
Please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. As always thanks for your continued support! Until next time!