« What to watch for - the Rest of the Fortune 500 Gets Their Software Security | Main | Conference Gurus »


Jeff Williams

Great post. OWASP does have lots of "builder projects" - the venerable OWASP Developer Guide, the Enterprise Security API, AntiSamy, Java security project, and lots more.


It is basically easy for outsiders to understand a breach, but almost impossible for them to understand a building. This is very seductive, and of course it is too easy to puff oneself up as being good at what you don't understand.

How we get over that is hard to say. Classically it was done with guilds, but they don't work so well in an Internet context because there is an open market in guilds, so the race becomes a race to the bottom -- course signups, certificates, etc.

More on the blog.


I'm not so persuaded, myself.

I find it strange that these posts seems to equate being a "Builder" with knowledge of SAML, Enterprise Message Buses, WS-x spec, UML diagrams, authZ, and so on. Security is not about features; it is about assurance; and likewise, I suspect the essence of being a good builder is not about knowing a checklist of standards and buzzwords, but about principles and methods for building secure systems.


Jeff - you're right, ESAPI in particular is a great example

Iang - yes grandstanding is one of the biggest problems.

None - Security is not about assurance. Assurance is about assurance. Security is about policy and mechanisms, assurance is about making sure they are consistent. We need better mechanisms.

Andrew van der Stock

@ None - It's been said before, it only takes a couple of days to demolish a house by one person with a bob cat. It takes months and many skilled folks to build a house that meets code, stands up to petty burglary, high winds and keeps out drafts.

Which is more useful to society? Building. It produces wealth and has a useful output.

What don't we have? Enough security architects and trained developers who know how to do this stuff right.

Researchers like myself are in the building mindset because we know enough about breaking stuff (face it, with web apps, breaking pretty much every app is too easy), but not enough about secure building. We can't do it alone.

It's not solely about SAML, but it is important to understand the security implications of a feature, the best way to implement it, and what the ramifications of failure are.

If I asked you to write a safe and robust login process that uses Active Directory, how would you go about preventing LDAP injection? Are there controls that can minimize the risk of dealing with the AD interface? Is there a parameterized LDAP interface? Can you bind to AD using an encrypted but low privilege account? Why is a low privilege account important when verifying a login?

Most breakers simply do not know the answer to these questions, and yet if you want to be a security architect, you must know this stuff.

It's far, far harder to be a builder than a breaker. At least an order of magnitude and the domain knowledge required is maybe two orders of magnitude more than breaking it, especially if you're a breaker who only knows tools.



This kind of feuding about who is more important, Builders vs Breakers, is not helpful. Yes, many of our systems are so insecure they're all too easy to topple over. Yes, good Builders are in short supply. Yes, we need more knowledge of how to build good systems. But yes, Breakers can play a useful role, too.

We can recognize the important contributions that Builders make without belittling the contributions of Breakers. Let's do that.

P.S. And let's not make the mistake of thinking that knowing a lot of industry buzzwords of the day necessarily makes you a great Builder, any more than having an ISSCA certification necessarily makes you a great security expert. At most, buzzword compliance is a necessary but not sufficient condition; at worst, buzzword compliance can become part of the problem, because it channels people into building upon complex, poorly-engineered, but industry-standard stuff.


None - both builders and breakers are important. Builders are under-represented in the community today

The comments to this entry are closed.