Wednesday, January 30, 2008

Tools Need People!!

Very enlightening post from Jeremiah Grossman here. It is obvious, some would say painfully so, but many, many sadly don't GET IT: tools don't solve problems, people use tools to solve problems.

Excerpt: "... I stopped short and said, “That’s never going to work!” A little stunned he asked, “Why not?”" (read more)

There is also a side conclusion: if you don't plan to actually use the tools or don't have anybody who would use it, it really won't matter which one you'd pick - you are guaranteed to flush your money down the toilet ...

4 comments:

dre said...

Who said anything about money?

Commercial solutions are the wrong solution to most IT issues.

I think investing in tools/technology is much better than investing in people when it comes to an automated testing solution. We are talking about automated testing, correct?

The problem is that security is not seen as critical by upper management, so in many cases, it must be handled from the top-down. There are already plenty of people in most organizations, but not enough technology is being used correctly or with completeness.

CSO/CISO's shouldn't be saying, "I need a team of web application security professionals". They should be saying, "I need to locate where and how my organization acquires software and put stop-gaps against vulnerabilities in that software, starting with the most critical".

If the software is COTS, or prominent open-source: vulnerability management can solve this issue. MITRE OVAL-Compatible solutions can provide access to known vulnerabilities.

The problem then arises to handle custom software. This can be best dealt with by a Secure SDLC program. If you can't enforce a Secure SDLC program - it might be easier/better to replace that custom software with a different solution. Spending years on "custom" security testing for "custom" software is not only a nightmare, but it's also a money toilet. Secure SDLC practices combined with CWE-Compatible solutions is the cheapest path to combat unknown vulnerabilities.

Jeremiah is just saying all that nonsense to confuse and pollute the industry to the needs of WhiteHatSec. However, WhiteHatSec is not an approved CWE-Compatible solution, nor are they even trying to be. Jeremiah sees everything as attack-oriented, hence the creation of WASC. His view is limited, and I encourage you to ignore it and concentrate on the underlying issues.

Anton Chuvakin said...

>Commercial solutions are the wrong
>solution to most IT issues.

Huh??? This sounds - at least - unconventional and - at most - silly. This pretty much sounds like "all IT products don't work," which is hardly true even if often they hardly work.

>I think investing in
>tools/technology is much better >than investing in people

You mean the opposite, right?

I somehow thought that you need people with tools and not just tools....

dre said...

Commercial solutions are the wrong solution to most IT issues.

Huh??? This sounds - at least - unconventional and - at most - silly. This pretty much sounds like "all IT products don't work," which is hardly true even if often they hardly work.


I was thinking that open-source solutions are usually better than commercial. For example, W3AF is better than Core Impact. Metasploit is better than CANVAS. CentOS is better than Microsoft Windows Server 2003. Xen is better than VMWare ESX. Zimbra is better than Exchange. Zenoss is better than HP Openview. OSSIM and OSSEC are better than ArcSight and CS-MARS.

I think investing in tools/technology is much better than investing in people

You mean the opposite, right?

I somehow thought that you need people with tools and not just tools....


I meant "amount of time/money". Clearly you do need to hire people. For security business processes that aren't considered "core business functionality", it is best to outsource 20-40% of this to a managed security service provider. Best examples: managed security monitoring, managed firewall, managed intrusion-prevention, managed AV, et al.

Unfortunately, external and Intranet web applications are usually considered "core business functionality", so WhiteHatSec shouldn't be used. Reverse engineering isn't really a core business functionality, so Veracode should be used.

Anton Chuvakin said...

>I was thinking that open-source
>solutions are usually better than
>commercial

Woooo, this is like a maaaaaajor stretch which borders on a religious discussion. What about the areas where there is NO OSS solution AT ALL?

Also, from the list of your example, some are doubtful while others are clearly absurd.


>For security business processes
>that aren't considered "core
>business functionality", it is

That IS a good point indeed! So many orgs outsource "stupidly" but that IS a good guidance to follow!

Dr Anton Chuvakin