Sunday, April 13, 2008

Interview with Learn Security Online

Chris Gates of Learn Security Online offered me the opportunity to participate in an email interview that’s been recently posted. When I consented I did so on the precondition that the questions would be engaging and not generic boring template type all too often used. When reading other peoples interviews I prefer seeing compelling answers to thoughtful questions and I think Chris did a great job.

During the interview I dive into a fair bit of detail about my past, how and why I founded WhiteHat Security, thoughts on the maturation of web application security, guidance on how others can get started, my views on the state of the industry, and finally where I think things are headed. We covered a lot of ground and discussed many of the important issues. Here’s a snippet:

# LSO #

Say I want to get into web security, it HUGE, where do i start?

# JG #

At the beginning! No seriously. If I had to start again, the first thing I’d do is pick up a programming language like Java or C# and develop my own super simple Web applications to get the basic concepts. Then, I’d seek to understand how the Web is architecturally put together from the ground up. That means learning everything I could about TCP/IP, HTTP, DNS, SSL, and general encryption. I’d make my own Web servers and Web browsers, create little tools to create packets in the various protocol layers, and basically play around with all the technology till I felt really comfortable. Then, I’d work my way back up the stack learning HTML, JavaScript, and the DOM, all the while making little applications to keep my interest. But, what you’re probably asking at this point is “where is the security,” right?



kuza55 said...

IMHO telling people to start at the very beginning is elitist bullshit. (The same goes for telling people they *must* learn how to program first)

People should learn things when they are interesting or relevant, not because someone named some arbitrary buzzwords from the top of their head. As long as they keep their interest up they'll learn everything then need to and they'll have fun doing it.

Even if it produces skiddies in the short term, it's more important for people to have a passion for the field than follow some methodical system to learn everything you have.

Anonymous said...

You had better read Godel, Echer and Bach before you start talking about "halting problems" and their solvability. Turing did solve the problem; and we have the term "Turing Complete" to describe such systems - however, the vast majority of markup languages today (html, javascript, etc...) are not "Turing Complete" because the designers were not educated language theorists. We do have a couple of languages still in use that are however, Lisp & Scheme.

In Common Lisp because data and program are the same, it is quite common to write programs that take other programs as data and write new programs as output and execute them!!!

If you work in the domain of such languages then these problems are quite solvable.

Additionally accedamia has produced a great body of security work that simply has not made it into industry; academia has also found solutions to many of the problems as well. However, they are not glamerous business propositions and they certainly don't offer anybody a quick buck bandaid like say WhiteHat/F5 just to name one example.

No they require you go back and do the things you should have done in the first place and impliment a Security focused SDLC. That you Engineer and Architect solutions and stop "ad-hoc, omfg it worked" developing them.

So no, it is not the "halting problem" that is holding the industry back; it is missinformation provided by snake-oil salesmen selling their magic security solutions, and industries continued mispending of security dollars on those products instead of correct engineering practices that prevents security from happening.

Anonymous said...

I agree with kuza with respect to individuals learning due to interest, and not out of what someone else has deemed a necessity. At some point or another the individual will pick up some type of a programming language, and probably review every aspect of the OSI model, but it all comes with time and interest.

Jeremiah Grossman said...

wow, who knew a personal interview could be so controversial. heh.

@kuza55, my answer was meant to be anything but elitist. It was meant to be taken more as a reflection of my personal learning methodology and assumes the person is already interested. Perhaps even passionate. Everyone has a preference on how they like to go about learning a subject and this process has served me well. Of course if someone else has their own, that's fine as well.

As one example, we recently came across a group of experienced web developers and we needed to describe to them how we were able to hijack another users session. Basically a simple cookie tamper hack. At one point during the discussion one of them asked "what's a cookie?".

This struck us by surprise, but this lack of HTTP comprehension is more common than most would like to believe. Todays frameworks hide all that stuff very well and developers just work with APIs. As a result many of the fundamentals are no longer necessary to get day-to-day stuff done, that is until a security issue crops up and this deeper understanding is required. Hence, my start from the beginning answer

kuza55 said...


Sure, people should probably work out what cookies are if they want to understand client-side issues with the web, but there's no reason they have to learn about client side stuff first, maybe they're far more interested in server-side stuff and all they really need to know to start there is that they're editable by users. And even if we assume that people should probably get familiar with HTTP pretty early, why do they need to know how TCP/IP works straight away, same goes for SSL and DNS. Also writing web servers or browsers is pretty needless even if it will teach people something.

There's a lot of stuff to learn and saying people must learn everything straight away is fairly pointless.

CG said...

If you go back and read the past interviews on the site, a reoccurring theme in the interviews is people recommending learning to program early on. If all these people say it, there "might" be some merit to learning some languages early on.

Learning to program should be mixed with plenty of "doing stuff", that stuff would be whatever you are interested in. But with security the way it is, you can spend all your time playing with tools and then all of the sudden realize you cant put your ideas into code or not very easily and that just sucks.

Anonymous said...

I also agree with what you've stated, cg. I learned to program out of my own interest, and later concerned myself with things such as how HTTP works and security, but I can attribute a majority of the things I bothered to learn to programming. A solid foundation in any language is pretty useful.