« August 2008 | Main | October 2008 »

2 posts from September 2008

September 11, 2008

The world is full of penetration testers

Mark Curphey has a nice little rant over at his blog: Are You a Builder or a Breaker.

[...] I personally find it is disappointing that after a decade of it being considered a discipline in it’s own right, it is still predominantly made up of breakers and not builders. It’s still predominantly made up of an army of skilled hackers focused on better ways to break systems apart and find new ways to exploit vulnerabilities than “security architects” who are designing secure components, protocols and ultimately secure systems.

I feel the same way. The world is full of penetration testers, who are paid to break things. While I don't have anything against that—they are doing the people they work for a valuable service—it is a shame that we don't have more people who are willing to work to increase security. It is very indicative that only very few people work on the defence side because they passionately believe in making things better. Sometimes it feels the only people on this side (my side) are those are paid for it. (Truth be told, I am paid for my work these days, but it wasn't always like that.) It's really sad, but at most conferences you will find that the most popular talks are those who will mock the current state of security on the Web.

We should pay more attention (and help!) to the efforts that are designed to improve security, for example the Intrinsic Security Working Group at OWASP.

Posted by Ivan Ristić at 2:28 PM in Security | Permalink | Comments (0) | TrackBack (0)

September 05, 2008

Stop picking on Google Chrome

Chrome, the new browser from Google, apparently has some security issues. So what. Chrome is a brand new application, exposed to the public for the first time, and marked as beta. It's expected to have security issues. The whole point of having a public beta release is expose a product to a wide audience and deal with the discovered problems prior to a stable release. The existence of security issues in Chrome is in line with our current inability to develop software free from security issues. Thus, people should not be distracted by the small problems that are now discovered. We should be  looking at the big picture instead. Chrome is a browser that's been designed from the ground up with security in mind. That's bound to have a positive impact. We'll know more about the impact once the details of its architecture surface.

On the other hand, we should put pressure on Google to stop it from abusing the beta moniker like they did with GMail. Bluring the line between beta and stable is simply not acceptable. How else are users going to be able to judge what is acceptable for production use and what isn't?

Posted by Ivan Ristić at 10:13 AM in Security | Permalink | Comments (0) | TrackBack (0)

MY WORK

ModSecurity Handbook is the guide to the world's most popular web application firewall.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below (it's free):

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS