Security Engineer Manifesto

What view should a security individual working in the security space have? What’s their role? Should they know software development, or only security? Should they do testing, or should they only provide direction, what level of direction should they provide? What is their responsibility within the organization, what personal and ethical responsibility do they have? – These any many more questions answered! This is my declaration of what a security engineer should be like and their thoughts /views I expect any person working within the security space I hire to share on some level.

Engineer No Evil

As a person working in security, you’re going to know the organization’s most dirty laundry, you’ll quickly learn to discover where the vulnerabilities are and are not. You must keep this this information confidential and exercise good judgement with whom to share this information and when to share this information. You likely have advanced knowledge of tools which can be used to exploit said vulnerabilities, and/or the programming ability to do so. You must act in a manner protecting your organization from the vulnerabilities you have knowledge of at all times. You must never attempt to exploit your organizations security vulnerabilities for your own benefit, outside of the organization.

Be Professional

A security engineer should conduct himself/herself with professionalism, honesty and decorum. You’re dealing with a sensitive topic and there are going to be disagreements, discussions that you will feel you’ve won at times and at times lost. You must conduct yourself in a professional manner. There are often things beyond even security that need to be considered always. You should not let these situations dissuade you from your professional duties bring up the next issue, act with professionalism and don’t be afraid to speak out about vulnerabilities.

Understand the Business

In addition to being a professional and engineering no evil within your own organization, do not attempt to hack other businesses, groups or social engineer people on your own time. Your actions whether you’re being paid for your time or not are a direct reflection on the organization you work for. If you get caught as a security engineer attempting to infiltrate another business, that will cast serious questions on the business that you work for. You have the tools to do illegal things, don’t!

Don’t do any outside security work on the side for other organizations. You have no idea the business relationships that may or may not exist within a large organization. Doing outside work gives the appearance you’re not fully dialed into your own work, and may damage your organizations business relationships on a larger scale.

When you leave your current place of employment regardless of the terms that you’ve left on you’ve got the ability to cause substantial harm, because of the dirty secrets you possess. Be an ethical professional engineer and see item no. 1 engineer no evil.

Take time to learn the business I firmly believe that every technical person should spend some time job shadowing and learning the business that they are working in. Learning the business will be incredibly beneficial, in 5 Habits of Highly Effective Security Leaders Sarah Vonnegut talks extensively about aligning security as a business enabler throughout the organization, I agree completely with her thoughts on this. Attaining alignment on these items is impossible if you don’t clearly understand the business and how the business functions. The business is your bread and butter, it’s what drives the money that allows you to get paid, the technology and security aspect you bring to the table is critically important but not more important then the business itself.

You also have to understand that security cannot be obtrusive to the business as Vonnegut said, security must be a business enabler. If the security is too obtrusive and opaque, users can’t use the technology, and I’ve said this before what’s the point. The most secure website in the world is one which nobody uses, it’s also the least profitable.

Continue to Learn

Your security skills don’t stop when you leave university, college, CISSP training or whatever other training there is out there, you need to continue to learn, new technologies constantly mean new attack vectors and new security vulnerabilities. You should find read, new blogs, books articles. Find the authors you like & follow them on twitter, so that you can see when new information comes out. Look to the Information security leaders, learn how to become a leader yourself.

Your learning shouldn’t be limited to the environment on the space you work within, you need to keep yourself relevant and become an expert in the security space you’re currently working in, but also maintain a broader knowledge of practices procedures such that you can move to a different organization or business unit with relative ease. Security is an emergent topic that grows more everyday, it’s not an industry in which you can silo yourself rather the information security is a space that transcends silos. A security engineer that silos themselves is someone that will quickly become ineffective.

Keep on top of your tool set, share your knowledge and learn, a highly effective security leader is a life long autonomous learner.

Learn How to Program

The most effective security engineers are the ones that know how to write code. This makes them effective for many reasons, when you write code and in order to do so you really need to understand technology and how technology works. Writing software allows you to understand and explore basic concepts such as network programming, web programming, desktop development and services and options there within.

This will help you understand how to work with software developers and architects better to explain why some code is vulnerable or not, what the right thing to do is when presented by a difficult security challenge in code. You may also be asked to help write secure coding standards or best practices for software security and if you don’t understand various aspects you’re at the mercy of Google to help you figure those out, yes Google will get you started however to truly be effective you must also understand what you’re writing about.

Even if your organization does no software development in and of itself, understanding how to write software will help you to gain a better understanding of how the various security tools you’re using work.

I was once asked why a security tool only reported 4% of the vulnerabilities it should have reported, various people I asked did not know only saying this is how I use the tool and therefore if the tool doesn’t report a vulnerability it shall not exist. – Through a deeper investigation I discovered that this was actually not the case at all, there was some code executing in an HTTP handler module that was preventing the tool from successfully completing the scan, with an intimate knowledge of programming I was able to logically deduce what was happening and in turn write a piece of software to circumvent the blocking procedure in the HTTP module, this allowed me to fully exploit the initial finding and subsequently identify more vulnerabilities.

Programming also allows for a quick proof of concept and creative testing policies. If you don’t know a programming language, I would suggest learning Python - it’s quick and it’s easy.

Improve Culture

For a reason that I cannot put my fingers on, the security still isn’t taken seriously, you cannot be a security engineer that says “Well I tried”. You have to come to work willing to educate, talk, beat, drive security initiatives, trying doesn’t cut it in 2015. You need to continually discuss and press the urgency of security issues within your organization.

More importantly though, you need to educate everyone about security. It should be your personal mission to take the collective security knowledge of your organization or group and improve it. There are many different strategies to use, lunch and learns, emails, virtual training, in person training. You need to learn how your organization best responds to learning and drive changes through that, when everyone starts thinking about security, then security wins.

Learn How to Pen Test

Learn how to do effective penetration testing, and I don’t mean running tools like WebInspect, ZAP, MVM or anything of the like, take time to learn how attackers are going to try and break your applications and then break them yourselves. Learn how to inspect an application, whether it’s a web application or a service. Then think outside the box, penetration testing is more than just the physical steps an attacker might take to break your application or break into your application, penetration testing is, how can malware exploit your application, what can it do, can it spawn a remote thread to look like a piece of your application, can it read your application’s memory, cause a crash dump.

Folks will tell you that once malware is on the server or the network the jig is up —DO NOT BELIEVE THEM!  Consider an application with minimal hardening a piece of malware might not be able to read the connection strings (because they’re encrypted) in the web.config – However it doesn’t have to if, the malware can create a remote thread and execute it’s on DB Queries. However if the application is sufficiently hardened to prevent remote thread execution then the malware is ineffective in this attack vector.

Let the QA teams run the fancy tools, learn how to do real penetration testing, which requires a knowledge of programming.

Question Everything

Respectfully question everything and anything form a security perspective. This is your bread and your butter, your success. Chances are your organization will be breached, the question you’re going to try and eliminate is how severe the breach is, to what extent. Don’t accept an application owner or developer or manager telling you something is secure. You have a right and a responsibility when charged with a security role to verify it for yourself. Don’t let the environment get you down, maintain a positive attitude and question question question….

The post Security Engineer Manifesto appeared first on Security Synergy.