Professionalizing Security? Let’s Start with A Better Internet.

A new report came out recently that argues for the professionalization of computer security practitioners. I haven’t checked my calendar lately, but if you’ve been in this business long enough you know you can expect to hear this refrain about every two years. Never mind the existence of organizations like ISC2 and SANS (and others), which test and certify practitioners of varying skill levels and areas of expertise, what the world needs now is honest-to-goodness professionalssuch as exists in Engineering – to keep us safe. Let’s pretend for a moment that the government(s) would actually back such an idea: how does that actually improve online security? It’s a great deal for certification companies and whatever outfit wins the contract to set up the security-version of SEI, but how precisely does this proposal make things better?

Forget for any new/future technologies and think about the Internet as it is for a moment. For all the fiber optics and pretty LED-lit boxes that inhabit the data centers of the world, the ‘Net and everything that rides on it is basically held together with duct tape and bailing twine. You don’t have to be a “professional” programmer to write an app, strike a chord, and make a billion dollars. Any random Joe or Jane can literally connect any ‘thing’ to the Internet by meeting the most minimum of requirements, get a metric ton of people to use it, and then watch the train wreck as the simplest thing brings it all crashing down. As soon as the smoke clears the first thing people will start screaming: “we need better security to stop this from happening again!”

Yeah, that’s not a security problem.

The vast majority of Internet “security” problems are divided between engineering decisions from the 60s not jibing with the desires and demands of the present day, and poor coding practices. You can talk about the sophistication and heavy-thinking required to design and implement a secure system all you want, most work in this field is janitorial in nature: cleaning up the mess the founding fathers left us.

To be fair, it’s not the founder’s fault we’re in this situation. The ‘Net at its founding and what it is today are two wildly different things. Every year we just kept layering new things on top of a resilient-yet-brittle structure and when things break we point our fingers at the bad guys. Fair enough, as evil-doers deserve punishment, but by the same token we have to take responsibility for our risky behavior/environment. I mean, notice how the OWASP Top 10 changes so radically from year to year…

…Exactly.

This is not to say that we should not constantly be looking at ways to improve and mature our field of endeavor, but let’s start to focus more attention on the meat of the problems we’re dealing with before we start thinking about having pudding. “Professionalizing” coders? That’s likely to go over like a lead zeppelin for obvious reasons, but some kind of “UL” for the ‘Net to bless what anyone puts together is not an unreasonable approach.