Security Tone Deafness

We, as security professionals, have to raise our game. We have to be respectful and helpful. We have to know our audience and speak their language. If we are seen as the guys who will pounce on a mistake and publically humiliate the organization who makes a mistake, we will only make enemies among those we want to help. If we take the attitude of “every mistake is a catastrophy,” we will be ignored by management who will hear us saying “the sky is falling” and they will look out their window and see that the sky very plainly is not falling.

I will let Hunt’s own words express it best (modified slightly by me).

there [is] a bit of an opportunity here – an education opportunity for [security people] who like to learn from anti-patterns, i.e. seeing how those who have gone before them have done it wrong

Over the weekend, a whole storm spun up over Tesco‘s web site security. I made a bit of a storify of it. They store passwords in the clear, they violate a bunch of SSL best practices, etc. Troy Hunt gets credit for the seminal tweet. Prompted by the flurry of interest, Hunt goes on to do a bit of investigating and blogging. What I think is noteworthy about his blog is the tone of voice. It undermines the (true and important) message and it represents a failure I think is common among security people. My favourite tweet was from matthewhughes: when he says “I think tone is less important than being right. And Troy was spot-on, IMHO.” That is exactly what I mean by “security tone deafness.”

2 Comments

  1. You know for the most part Paco, I agree with you; delivery of the message is important, objectivity is essential and impartiality is necessary if you want to retain any semblance of credibility. As a developer, I’ve been on the receiving end of many blunt, non-constructive messages from security professionals which come across as authoritarian and frequently, out of touch with the realities of delivering working software.

    What makes the Tesco case interesting is that the messages I delivered in my blog – particularly around plain text passwords in emails – have been delivered to them many times over many years by many people. In each case – without exception – Tesco responded with nonchalance and a clear misunderstanding of the underlying security concepts that their concerned customers were putting forward to them. To use your phrase, Tesco has clearly been “tone deaf” to the real and valid concerns expressed to them.

    My post was direct and it also offered constructive advice to developers building web applications. In my role as a security professional (yes, I do wear two hats), I always try to articulate specifically what the risk is and what the practical mitigation is, indeed this is why I wrote the OWASP Top 10 for .NET Developers – to give practical, consumable advice.

    Developers are very frequently at the coalface of decisions such as how HTTPS is implemented and I assure you, this is often the case in organisations the size of Tesco. But in the developer’s defence, security concepts can be quite foreign; the necessity to protect auth cookies via the “secure” attribute, for example. Where possible, I try to write with a degree of humour and lend some character to what can otherwise be a very mind-numbing topic.

    To try and wrap up on a positive note, when a post like this does get some good air time a whole raft of developers who weren’t previously au fait with many of the security concepts discussed suddenly have exposure they wouldn’t previously have gained. That post has resulted in many thousands of views of other posts such as building secure password resets, the risks involved in using fast hashing algorithms for password and the OWASP Top 10 series I mentioned earlier. The other thing it has resulted in is something that has been years in the making: as of today, Tesco is no longer emailing password reminders. And that, I’m sure you’ll agree, is a very positive step in the right direction.

    1. Troy, thanks for the comment.

      If the business wants to do dumb things and wants to ignore good advice, that is its right. When security people come out and ignore the business’s priorities and desires and make blanket assertions that technical decisions must run a certain way regardless, then the security people have overstepped their remit. When the security community takes it upon itself to attack and prove the point, the community has WAY overstepped its mark.

      Tesco has made a change for the better and they did it in response to customer feedback. I see the “victory for the little guy”. I really do. If people demonstrated, tweeted, facebooked, etc. and it was all just peaceful negative publicity, I might think this was the right way to go about giving market feedback. But that’s not what happened. People attacked. They found XSS. I heard rumours of SQL injection. I feel like, collectively, the security community went beyond persuading Tesco customers (which would have been great) and instead they threatened the business and threatened innocent customers’ data. That’s right back to being tone deaf. Tesco doesn’t think security is important, so we force them to think otherwise.

      Is it our place (anybody’s place?) to tell Tesco what their password handling policy should be? Is it our right to decide what they do, how they do it, and when they do it? Is not that their right? At what point is it OK for those smart people to up the ante and preempt a business’s sovereignty?

Comments are closed.