Friday, February 18, 2011
What makes security professionals different from IT administrators and application developers?
Security consulting has been a passion. To me it is about realizing the weaknesses in technology and sociology, understanding how things that work can be made to stop working and possessing the ability to link multiple threads to obtain a desired outcome! This maverick attitude differentiates security professionals from their more traditional IT counterparts. Let us take three common examples to demonstrate how security people perceive reality differently.
IT professionals trust software and their features
Cloud computing is a rage with security a key concern. I asked an experienced IT administrator who set up an open source cloud infrastructure why he felt it was secure. His felt it was because he had properly configured the software security features. IT people trust the software and its features and on the contrary security proffessionals view them with skepticism, fully knowing that a backdoor would eventually emerge.
IT professionals do not understand security risks
The second example is of a senior IT operation head trying to convince me that running security operations was similar to IT operations. He believed that any IT or network administrator could as easily maintain a security infrastructure, as all it needed was a knowledge of the security product, similar to a good old server or router. What the IT professional failed to realize was that during security operations such as a rule change there is a risk process to discover what underlying assets will be exposed and why. IT professionals follow structured incident or change management processes and do not consider the surrounding evaluation of security risk and consequent asset exposure. They also fail to realize the dynamic nature of security threats as normal IT risks are fairly static.
Security Professionals have sophisticated understanding of underlying code and its ecosystem
The third example lies in the false belief of software professionals that they build secure software. Most developers and testers feel that their code is not vulnerable; it is the infrastructure that is. Testers do not realize the difference between use cases and misuse cases. They believe that testing for secure login is simply about checking the application response if an incorrect password is used. Security professionals do smarter things like SQL injections, which is a combination of exploiting two unchecked valid authentication and database mechanisms. The same can be stated about developers who lack the understanding of how code logic can be manipulated by persons with an intuitive understanding of how code runs, like hackers. The security professional has a sophisticated understanding of the underlying code and its ecosystem using their skill to exploit weaknesses in working and tested code.
There are only a few IT professionals who are security savvy, for a vast majority there is a need to learn to think like security professionals to build security into every aspect of IT without the need for a security professional.
But for true security professionals, our jobs will still remain as there is one element no IT professional will ever take away; our ability to challenge and defeat even the most secure system, because that’s simply who we are.