I was scanning Chris John Riley’s post, The more things change, the more they stay the same!,” and noticed a Jeremiah Grossman talk mention: “WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)” which incidentally has some older slides available for a taste of the content.
Yeah, we’ve come a long way and haven’t really gotten very far. But I think every era in security will likely echo the same sentiments.
Nonetheless, glancing at that talk title just rehashed thoughts in my head that not enough security people are technical enough. It’s one thing to throw an Infosec guy into a room of developers and have him spout generalities and vague security concepts (which is just going to turn off the developers and further drive a wedge of passive disrespect), but it’s another one entirely for the Infosec guy to talk and operate on the level of a developer, even to the point of sample code and pointing out real world issues. I think that’s the part that is difficult these days, and it’s not just limited to the web apps. I also think this is why QSAs are poorly positioned, misunderstood, and way too often abused as consultants when they’re really not.
If you know a young person who has technical interest such as building web sites, and also has a budding interest in security, please do what you can to stoke those fires early, before their coding workload and life responsibilities overshadow their other enthusiasms.