Am I the sandman?
The work as application security specialit is to tell people how to improve their app o their overall system configuration from the security point of view.
After a couple of months, if you’re good enough they will feel a mixin about respect, scary and hate when they receive your email.
People don’t want to hear that they are good enough in doing something. Even this applies in a field outside their prophecies, they are rockstars and you a bad guy trying to piss them off.
People have their own perception about security:
- the classic one: we’re not a bank, we don’t have credit cards so people won’t attack our site. Making penetration test is useless, we even installed antivirus software.
- the one from people believing in appliances: we installed waf don’t we?!? So we’re safe, why bothering with making tests or reviewing the code?
- the immutable one: that server we never tested is in production since years. It works. Nobody attacked, why do you want to test it?
- the project manager one: we’re late in our schedule, we don’t have time for security tests.
The funny bit is that I would do the work for them, it’s part of my job to testing their code. As a psychological point of view it’s interesting in seeing that someone tell me not doing my job because they don’t want to read reports that it will bring them more mitigation activity.
It's either important to know that to me it's important to have a risky indicator about that server or that application.
Sometimes it happen that a web application is crappy and completely bad designed. It suffered almost all risks scored in the Owasp Top 10 but remediating is almost impossible.
It would cost too much
And they say this to me as I reported them the useless modifications in the world.
I don’t think we, as application security guys, can breach all people in the Information Technology. Moreover we can’t breach people they have more power than us from the internal politcal point of view.
It’s not an easy job. You have to deal with people that most of time don’t understand the technical report you’re submitting or, even worse, they don’t want to understand what are you saying. They just stopped listening when you say “some mitigation steps are necessary”.
You don’t have to take this as a personal offense, just carry on you must understand their needs and try to make a tradeoff with your security needs.
It’s not a job when everything is black or white, you have to use all the possible greyscale combination if you want to reach most of your developer or executive audience.