Tuesday, May 20, 2008

the nature of things

I agree with RSnake. It seems the inescapable curse that the more successful one becomes in the infosec industry the more interesting information they may access and the less they can share about it. It’s terribly frustrating and unfortunate because so much is lost as a result. When my blog started it was simply a place where I could speak openly about personal webappsec interests, meet others in the community, and converse on a wide variety of technologically cutting-edge and conceptual topics. I had no idea if anyone would even care to read it. Still I’ve always tried to be completely open with what I believe and whom I’m work for because bias will surely creep in.

Almost tens years in the industry, some two years of blogging, and 500 posts later never did I dream that I’d get to meet so many great people whom I learn a lot from and receive such a tremendous readership. For that I’m grateful and have always been committed to giving back by sharing what I know and assisting others where I can. During the same time professionally I get access to way more highly sensitive and sought after information than ever. Knowledge that’d make you laugh, cringe, worry, think, excited, and upset. Much of which is locked up in NDAs, intellectual property, and business relationships but that also help me see what’s coming 2-3 years out.

This brings me to the second thing I agree with RSnake on. Things are bad, much worse than they appear, worse now than when I started, and probably because we’ve learned a great deal about the existing problem as have the bad guys. Top down are endless mountains of critical vulnerabilities we’re incapable of fixing the conventional way (through code), built on platforms of technology suboptimal security-wise, and we can’t simple start over from scratch. Bottoms up incidents taking place daily, some waiting to take place rarely spoken of, especially by me, and almost never in detail by anyone. I only get to hint at the specifics and what lessons we may learn. Heck I can’t even share a lot of it with RSnake for the same reasons he can’t share back.

This means the bad guys have an edge. They aren’t bound by the same rules as we are, as a result are more nimble than us, and the third thing I agree with RSnake about. Readers here and on his blog have the clearest path to reveal the things we can’t directly. That’s why we support them the best we can and perhaps this is a healthy progression that keeps the industry fresh with new people and ideas. This is not to say I won’t be doing everything in my power to provide the information people need to protect themselves online should they want to. That’s essentially what I do for a living and I have no desire to make a living writing books. :) So with that I disagree that my blog at least will be watered down. I still got lots of cool stuff talk about, look forward to hearing what others think, and thank you to everyone who takes the time to read.


Anonymous said...

For clarification this does not translate into new aspects of web application security being kept secret, correct? I'm referring strictly to concepts that may arise, or have already been created, such as the very issues you have relayed to readers in the past: XSS, CSRF, and subsequently combining these topics to provide works like the Javascript port scanner, or the CSS "history hack". I thrive on much of the innovative techniques and discoveries posted by you, Rsnake, GNUCITIZEN (the entire group), Ronald van den Heetkamp (0x000000), Billy Rios, and a few others. It's understandable that your business commitments prevent you from being able to share a majority of your findings, but please post what you are able to, and what the rest of us may find beneficial.

Jeremiah Grossman said...

Ahh that's a very good question.

New attack techniques and their solutions will continue to be freely and openly released by me (WhiteHat) as we come across them. Most of the time still have to sanity check with other trusted experts though, which could cause some delay.

The specifics of the types of malicious things that can potentially be done with them, malware PoC, gets to be a little bit of a gray area - as are details of how to automate vulnerability discovery and unique instances of what sites they appear on. That's what sla.ckers.org an XSSed.com is for. Something RSnake and I really can't do personally.

Incident details are areas almost always off limits as is how the company goes about resolving the matter, other than what is already publicly available of course. I think this is the area RSnake and I were most focused on. The agendas and directions people take that rarely get revealed heavily influencing the state of things.

This what you wanted to know?

Anonymous said...

Just keep on posting what and as you can. Your insights and comments are still highly valued. Thanks for your posts in the past, and I look forward to reading more for a long time in the future.

Unknown said...

Good post! We often become a self-perpetuating cycle of non-disclosure and then complaining about lack of information sharing as one of our biggest challenges.

Soon (if not already), such professionals are going to lose credibility if they complain about a problem they perpetuate.