2/27: Handling Security Wrong: Brett Hardin

by Gene Kim on


Brett Hardin

2009 Velocity Conference: 6/22-24, 2009, Santa Clara, CA

I'm re-watching John Allspaw [(@allspaw)](http://twitter.com/allspaw) seminal 2009 presentation called "10+ Deploys Per Day: Dev and Ops Cooperation at Flickr." This talk is widely credited for showing the world what #devops coudl achieve, showing how Etsy was routinely deploy features into production at a rate scarcely imaginable for typical IT organizations who were doing quarterly or annual updates.

This SlideShare presentation and the Blip.tv video can be found on John's page [here](http://www.kitchensoap.com/2009/06/23/slides-for-velocity-talk-2009/).

Presented with Paul Hammond [(@ph)](http://twitter.com/ph), who was his VP Engineering counterpart at Flickr/Yahoo.

Talk Title: "Security: We're Doing It Wrong"
Presenter: Brett Hardin, @miscsecurity

  • Formerly pen tester, now CEO of SourceNinja
    • "Been on phone w/PCI Security Council, who claimed that infosec 'is exact science':" Oh, really? :)
  • Citing VzW #DBIR 2010: "There wasn't a single confirmed intrusion that exploited a patchable vuln"
    • VzW: Given this, it makes you wonder whether infosec is even approaching the problem correctly
    • Asking q on how malware [largest breach vector] got there, which shows unpatched vulns are a contributing cause
    • Showing 2007 CVEs as evidence that patching is inadequate (this is great & unusual criticism of DBIR)
    • Showing Heartland, Sony, Citibank breaches showing outdated/obsolete software as prevailing root cause
  • Now he's showing problems of vuln scanning on VMs: often version #'s don't show Redhat/Debian code fixes (false positive)
    • Q: do VMs really help vuln remediation? A: if you need to recompile/redeploy, no. (Really? #puppet/#chef could help)
    • 5 Whys: "The reason that car alternator failed isn't belt wore it; it's because it wasn't routinely serviced"
    • "Applied to vulnerabilities, the root cause isn't because of patching; it's because developers are stupid" (haha)
  • Rule 3: Stop trying to "solve" impossible problems
    • "Of course we know 'developers are stupid" isn't the real answer: vulnerabilities will always exist"
    • "At big dev conf, someone asked if ur dev team wrote the code for airplane, would you be comfortable? All hands went down"
    • "APT is just the word you use to pass the blame (defender) or amplify FUD (vendors)" (haha)
    • "Penetration testing should only be used after having security process (e.g., vuln scanning, remediation)"
    • "Nothing is worse than being on pen-testing gig than when you can't find anything. 'Oh, here's a cookie risk'"
    • Wow. Citing Eric Ries, Toyota 5 why's in security context. Nice. Boundary spanner.
    • Eric Ries: "Minimum Viable Product is always less than we think it is." Ex: put up svc plans that don't exist yet. Nice.
    • RT @MikD: #BSidesSF @miscsecurity: discussing the Lean Principle & Minimum Viable Product (MVP) http://t.co/U8D8GNxT
    • I.e., for web svc, show monthly plans: $30/$60/$100; All but $30/mo will get "doesn't exist; provide your email addr"
    • Proposing Lean approach to infosec: small batches, fail fast and early. If can't fix few, how can we fix lots? Nice.
  • "Rule 3a: Don't teach developers security: evidence shows this doesn't work. It shows Dev games system."
    • "62% of FSI think time to market and need to release products w/shorter dev cycles is #1 issue" (bad for infosec)
    • "Who would get fired first: infosec, develoeprs, execs, sales, bizdev" (all but one are cost centers)
    • Haha. All but infosec increase profits. Infosec is just cost center. Hilarious. True.
  • I suppose what @miscsecurity is proposing is that Infosec needs to work for free.

Notes for Flynn:
* problem arising that hashtag doesn't match Session -- I want to append @miscsecurity, but want to watch all #bsides. Any suggestion?
* Correcting tweet doesn't retrofit fixes: when does it?
* Changing hashtag from #bsides to #bsidesSF doesn't change Stream
* I've changed my mind: tweet stream doesn't go back far enough. Had to go back to Twitter client to scan mentions, and then got back, and got only a couple of minutes of tweets -- suggest 20m window