Career Advice for Security Geeks, Part 2
by Bill Pennington
Maybe you didn’t see my last post in time to save your job, and you are now out on the street looking for one. I have been hiring people for close to 10 years now, and hiring today is a lot different than it was 10 years ago. These tips are based on what I see coming in these days in terms of resumes, and what I do when I see a resume that is at least passable.
1. Customize your email. Every resume I see these days comes in via email, either directly to me or from one of our current employees. Make sure that email is customized to the company and position you are looking for. Nothing gets your resume ignored faster than an intro like, “I am really looking forward to expanding my role as a Snort IDS engineer,” when you are applying for a job as a web application tester. If you don’t care enough to change an email before you send it to me, then why the heck would I hire you?
2. Google your name and ALL your email address. That is what I am going to do. What does that show? Can I find your Facebook profile, your LinkedIn profile, and your personal blog about raising 400 cats in your one-bedroom apartment? Step back and think about what all the data says about you. Are you raging about your current employer? Detailing how you just hacked your neighbors’ network? Talking about how much you really don’t want to work in security? All of those things are going to impact my decisions to even bring you in for an interview. Understand that and think about what you are displaying online. It is fine to be you and share, that is great, but understand that a stodgy insurance company might not hire a 30-something skateboarder (me) to be their CISO.
3. Use that network. There’s no faster way for you to get in the door than through a referral from someone I know or someone that currently works here.
4. Contact me via something other than email, such as Twitter, Facebook, or even the phone. I get about 400 emails per job posting, and nothing is going to make you stand out more than showing the effort to reach out to me in another way. In this market you have to show initiative and drive; simply reaching out to me on Twitter will put you in that top 1% real quick.
5. Read our freaking website!! This is question #2 after, “Did you have any trouble finding the office?”And don’t lie because question #3 is, “Tell me what we do.” If you can’t be bothered to find out a little about the company you want to work for before the interview, what does that say about your work ethic? Nothing good, I can assure you. I am not expecting you to be able to give me a perfect elevator pitch, but I do expect you to have made the effort.
If you are currently out of work please follow the tips above and let me know if they speed up the process at all. Every job opening is getting flooded with resumes; you have to make an effort to rise above the fray to get seen, even if you are a rockstar.
Career Advice for Security Geeks, Part 1
by Bill Pennington
Many of my contacts in the security sphere have recently gone through the dreaded layoff. Many of them have come to me for advice on finding a new position, and many of them ask me why they were in the position to be laid-off in the first place. I have had to layoff people in the past; sometimes it is easy and sometimes it is hard. Usually the first round of layoffs are the easiest for the person picking the victims. A few reasons why people are chosen in the first round of layoffs:
1. Attitude – Are you the one always complaining about stuff like no free drinks, not enough vacation days, or having to work a few hours late every once in a while? Guess what? You are inching yourself closer to the top of the list for layoffs. If the manager has to cut, they are going to make it easier on themselves by cutting the people who make their job harder. If you need constant care and feeding, your boss is not going to have time to do that after he cuts 20% of his staff. However, if you are always the person who stays late, asks for extra work, and has a can-do attitude, then you are going to be much further down the list of causalities.
2. Aptitude – Then we get to the basic question; are you good at what you do? I am far more likely to keep the person who can do the work of three people vs. the person who is barely handling his current work load. Remember, I have to not only cut budget by 20% but also have to figure out how I am going to keep up with the current workload after I make those cuts. Which leads to…
3. Specialist vs. Generalist – This one gets a bit tricky, but for the most part I am going to keep a generalist around as opposed to a specialist, since my generalist can cover for the specialist. The generalist might take a bit longer to get something done, but it will get done. If I keep the specialist I am going to have a hard time getting them to do something outside their specialty. Again, it is important to understand the dynamics. I have no choice but to let some people go, and being human, don’t want to be let go the next time around. I don’t want to give my boss a reason to put me on the layoff list. This is totally selfish but a very realistic reaction. The team I have left is going to have to do just as much, if not more, after I let people go. If you find yourself becoming a one-trick-pony, work harder to diversify and learn new skills. Don’t be the CheckPoint Firewall guru and only the Checkpoint Firewall guru; the more you know and can do the more likely it is that you will survive the first round layoffs.
4. Say “Yes”, always – This is a tough one for security people, since we are generally used to dealing with absolutes. It is pretty clear to us that deploying an unpatched Windows XP system on the internet is a bad idea. Deploying ATMs based on an unpatched Windows XP system and then hooking that to the internet makes me want to scream, “Nooooooooo!” but from a business standpoint that might be an acceptable risk. I always say “This is what we need to do in order for that to be secure.” Since you are not the “always-say-no” security guy, the more people who like you, the safer you are.
5. Sometimes you’re just unlucky – If I have to make cuts and everyone is great, it is going to come down to a “gut” call. All the above points are going to come into play, but in the end the differences are going to be so small that you really could not have done anything more to stay off the list.
If you find yourself in this unfortunate position, I will discuss ways to get out of it in Career Advice for Security Geeks, Part 2.
A Tale of Two Vendors or Security Sells
by Bill Pennington
WhiteHat Security recently went in search of a new customer service application and decided we wanted to go with a SAAS based service. Given our line of work we included a security review of the application as one of the steps in our due diligence process. What happened is a text book example of the wrong way and the right way to handle an audit and the subsequent findings.
First a few quick points. If you go to our website above you can see we do web application security for a living, 24×7x365 on some of the largest web sites on the planet. We know what we are talking about when it comes to web application security. Naturally our customers expect us to have the highest level of security for our web applications. Just because we are using an SAAS vendor does not give us an excuse to have a vulnerable web application. Also, we did this assessment on these vendors for free and walked each through our findings. With that out of the way:
Vendor 1: We loved the solution from a functional perspective; it did everything we needed and more. The price was excellent so we started our assessment. We soon discovered the application had numerous serious flaws ranging from Cross Site Scripting to SQL Injection to Insufficient Authorization. This was not completely unexpected, although this application was a little worse than most due to the volume and severity of issues. We set up a call with the vendor’s security and development team, and this is where things went sideways. Their first tactic was to tell us all the vulnerabilities were false positives. This is highly unlikely, since we review all our findings for accuracy. When we asked them why they thought these were false positives, the vendor explained they had a very complex filtering system that would block these attacks “if they were real”. We then explained a few of the findings and showed the results of the test that verified that there was no filtering in place or it was not working. At this point the vendor’s story changed, and they began to explain to us that because users had to be logged in, they did not see these as high risk issues. When asked what would prevent someone from creating an account , the vendor stated “Nothing, it is a self service portal.” With that we thanked everyone for being on the call, offered to answer any further questions they might have and hung up. We told the sales person the next day that we were not going to use their solution.
Vendor #2: This vendor had a solution that was not exactly what we wanted, but that performed the basics we needed plus a few things we did not need. We started the assessment process and found a few high severity issues. Within a day, and without even a phone call, those issues were fixed. The vendor had a few questions about the other issues so we quickly set up a call. The attitude from vendor #2 on the phone was exactly opposite of vendor #1. They were clearly interested in making their software more secure and were not defensive about what we had found. We walked them through a few of the issues they needed help with and they told us they would have them fixed with their next release in about a month.
Needless to say, we are going with Vendor #2.
We do not expect perfection from vendors, nor do we expect them to drop everything to fix all the issues. What we (and you) should expect is the right attitude to examine the issues, correct the highest risk issues and address the lower risk in a time frame that makes sense for both sides. As more and more software moves to the web, more and more of your corporate data moves with it. You can’t outsource risk and liability, so hold your vendors accountable for the security of their solutions. Ask them what they are doing to ensure the security of their web applications. If you get defensive answers or answers that have nothing to do with web application security like, “we use Qualys or Nessus,” I suggest moving along.
The Balkanization of Web Application Security
By Bill Pennington
Recently on the Web Security mailing list a bit of a holy war broke out over web application firewalls. For those new to the web security space this might be the first time they have seen this occur but as someone who has been in this space for over nine years now this is nothing new, and that troubles me. After all this time we are still fighting petty battles while the bad guys run amok exploiting web application vulnerabilities left and right.
Why all the fighting, can’t we all get along? What is the cause of this fracture?
My opinion is that a majority of experts in web application security are only experts in web application security. Few have run a business, had to work with in a budget or make tough trade-offs between securing the code you have today or investing in securing the code you might have tomorrow.
In addition to a rather narrow focus that general excludes any business experience, most people in the web application security space are specialist in one particular area, source code review, black box testing, web application firewalls or developer training. This lack of knowledge of the other solutions generally breeds fear and contempt.
So what is a business to do? The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution. The reality is that web application security is a very complex problem with some rather simple solutions and some very complex and expensive solutions.
The business need to properly assess the risk to their companies assets in order to match the security spend with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.
Once you have a decent grasp of your assets and their value then you can properly assess what to do in order to protect them and at what level. The web site that 90% of your revenue flows through you are going to want to do everything you can to project it and make sure it is developed securely. The web site that 20 business partners use that was written by the CFO’s son as a class project and no one has any idea how to fix (because it is written in seaside ) requires a different approach all together.
Bottom line don’t get too wrapped up in the rhetoric and I would not trust anyone that is only touting a single one size fits all solution. Pick the solutions that best fit the security required for a given asset at the time and understand that the solutions you pick today may need rethinking tomorrow. The web application security space is still a relatively young discipline and growing everyday.
Engage with Michael
-
Journey Into the Breach
