Security Breakers vs Fixers

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

This is a response to RyanKo's blog post "Will the ‘real’ IT security researcher please stand up?" posted at hp.com. The gist of the article is that there are too many security researchers who do nothing but break things and offer no methods for fixing them. He illustrates the problem with this quote, "If a fire breaks out, which kind of people would you prefer? The ones who incessantly scream: “Look, there is a fire!” or the ones who actually put out the fire and then gather together to design the place to be more fire safe in the future?"

I would argue that he is describing three different people with three different skill sets. We need people yelling fire and getting folks out of the building (researchers and exploit writers), people to put out the fire (incident handlers), and people to find ways to prevent fires in the future (development teams). These are very different skills and most people will not posses two of these skills much less all three. Instead of disparaging the security researcher, embrace her skill set and give her a way to contribute to the solution.

By the way, most security researchers are finding flaws related to unsanitized input (buffer overflows, XSS, SQLi, etc.). These flaws are a result of fundamental problems in the development process and unless you are prepared to offer every security researcher a job doing development work at your company then you are contributing to the researchers inability to create a "quantum leap to prevent similar events from happening."