Cenzic 232 Patent
Paid Advertising
web application security lab

State of Affairs

This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.

That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.

Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid. ;)

That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.

I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is ha.ckers.org about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.

I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.

Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.

I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats. ;)

22 Responses to “State of Affairs”

  1. Dan Says:

    I too am interested in Web security for many of the same reasons you cite (i.e. your family, etc.). I became interested in security last summer after seeing news item after news item indicating the ever worsening problem. I’m working on a Ph.D. in this area, with emphasis on software engineering in particular, and would like to pick your brain for a dissertation topic. I’d like to help carry the torch. Contact me if interested.

  2. mckt Says:

    Ditto… I’ve been looking to do more security research work lately, and am increasingly troubled by the poor state of security all over the internet.

    I’m the CISO for a web design company and have been working with developers to improve their applications’ security. It’s sparked a lot of debate, some good discussions, and started me wanting to start a blog of my own.

    Perhaps a group project between a handful of researchers? If not .ckers affiliated, maybe it could be put together as yet-another-security-community-type effort?

    Just throwing ideas out there.

  3. thrill Says:

    Knowing the pains you guys have gone through with this site, and how much pain it has been dealing with the freeloaders that just want to criticize your hard work, I can’t say I blame you. It would be nice if the money equaled the criticism, but as a former ‘provider of free stuff’, I know that’s not the way it goes.

    As always, you know you can count on my help in anything you pursue. Thanks for the great education you have provided!

    –thrill

  4. Awesome AnDrEw Says:

    I will undoubtedly purchase your material once it becomes available, but I actually do find this post to be a rather sad occurrence as I’ve been frequenting the site almost every single solitary day since early 2006 eating up whatever information you have been able to provide even if I am not capable of discerning it all immediately.

  5. ntp Says:

    “So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings”
    “Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid”

    It would be easier on this industry if Jeremiah and you just came out and said, “We don’t know what we’re doing anymore and have lost sight of the real issues”.

    The reason why writers are so poorly paid is because they face criticism from supporters of the current regime. If you and Jeremiah had remained agnostic with regards to technology/tools (i.e. web application security scanners and web application firewalls) and had kept your mouths shut about short-term solutions — then people would start to ask the right questions. Instead, web application security has repeated the same mistakes of the old school of information security: a focus on technology solutions instead of process and people. Case in point: the PCI requirement 6.6 and associated fallout.

    The journalists of ZDNet and some other places: in particular Nate McFeters, Larry Dignin, and Dancho Danchev — seem to be doing just fine with their writing pursuits. I don’t hear any “buy product X, buy WAF Z” coming out of their camp. I don’t even see comparisons. I see people talking about real problems — real stories about breaches and compromises. But these guys are the only ones I’ve found who have reliable and current information lately.

    It’s ok that you didn’t succeed… there are no successes and failures when dealing with security — only failure. You can’t expect to win. So keep your head up and keep working/writing, but it would be nice to keep the focus off technology solutions and towards a more agnostic view based on process and people. I would also like to note that there is more to risk than just security — we need to look at the broader issues from multiple perspectives, multiple professions, and a broader range of ideas (i.e. the Medici Effect).

    One of my favorite recent posts on XSS/SQLi/CSRF was by Jim Manico of Aspect Security - http://www.darkreading.com/boards/messages.asp?thread_id=189500&msg_id=158138&t=true#msg_158138

    The above clearly shows why the media and current regime still doesn’t get it. They just don’t understand the basic problems and fixes for web application vulnerabilities. Two years ago, Ckers.org, JeremiahGrossman.Blogspot.com and Gnuciziten.org were some of the only places to go for reliable and somewhat accurate information. In 2008, we’re left with the media — some of which get it and some of which do not.

    Also — if the idea of this website was to protect your family, why is the main success of this website been as a guide to understanding/writing XSS exploits? At some point, we’re going to have to stomp out public vulnerability research that makes exploitation easier than fixing said vulnerabilities. Either that, or you should link to XSSDetect, FindBugs, Anti-XSS Library, and OWASP ESAPI at the top of the XSS attacks page.

    Of course, you could always instead put up an advertising banner that shows a picture of a black, scary-looking appliance that says “Stops XSS Dead in Its Tracks!” with a giant, red-glowing logo that links to F5.com…

    I bet you’d make a lot of money from that…

  6. Jac Says:

    Thank you! I love your blog.

  7. MikeA Says:

    RSnake, I know exactly where you are coming from! The more we all learn about webappsec, and this industry in general, the more we realize how screwed we are (and from the clients we work with, how bad things are out there, and how unlikley things are to change). I know what it’s like doing consultancy work, and the time demands, so (as I’ve told you already), I wish you the very best of luck. It doesn’t matter how infrequent your post become, I’m sure (myself included) you’ll still have a good number of subscribers.

    @Dan - I’ve been through the process you are going through, so if you want to get in contact, I’d be happy to help. Get in contact in the usual way.

  8. Rafal Los Says:

    Haha… I love how no one takes the trolls (ntp) seriously on blogs anymore… Great post, keep up the good work, we value your opinions as much as we love to read your ramblings.

  9. ntp Says:

    @ Rafal:

    I love how everyone takes the vendors so seriously in the popular media. It’s best to follow the advice of people who have something to sell, and who force and corner people into buying their products in order to justify their existence and their paychecks. Who else are people with problems going to listen to?

    In our world, there are mavericks (innovators) and there are those that follow the status quo. It’s historically been a case that those who follow the status quo attack/troll the innovators, yet with the same breath they claim the innovators are the trolls.

  10. Spyware Says:

    This seriously sucks. That’s all.

  11. Matt Says:

    Sorry to hear that. I hope you can keep informing us of as much as possible. I don’t understand most of what you write :-) but I do learn bits and pieces.

    Keep up the good work.

  12. TheHorse13 Says:

    I too have wandered down the same path as you. When I started working for the Govt. I was suddenly exposed to so much more than I imagined but of course cannot disclose any of it. What’s more is I cannot openly endorse those who are actually doing the right things in this industry.

    That said, anyone who has been around security for a decade or more understands that shoveling shit against the tide is futile. Organizations are not ready and/or not able to understand security because they don’t understand the fundamentals of their own business process.

    Anyway, before I rant, just a humble thanks for the many posts and some of us know exactly where you’re at in your career.

  13. Rafal Los Says:

    You know, the sad reality is that at some point we all have to make a choice. Life isn’t about how cool you are, how much you write, or where you draw your paycheck - it’s about being credible and knowledgeable. You my friend, have both in spades. I’ve worked for the past 5 years in a company that tries to contractually disallow people from within to talk about anything publicly - so I left and went to work for a vendor that encourages me to think freely, and speak/write on topics that are relevant. Does my employer require me to make mention of our wares? of course, how else would we all be employed - but at least (like Jeremiah pointed out to me) we’re passionate about what we do, where we do it, and what it is we support. Having a filtered mouthpiece isn’t always a bad thing … restraint often implies a sort of maturity that comes with experience.
    All that being said… I personally hope you continue to write, and maybe we’ll publish books around the same time (different topics, I suspect) but in the end you’re still blazing the trails which others will follow for years to come.
    Keep up the good fight.

  14. wconway Says:

    Reading your post (and Jeremiah’s parallel one) saddened me. I haven’t always been able to understand all the technical details of each of your posts, but I have learned a lot from you. Many thanks and keep blogging. A little something is a lot better than a whole lot of nothing.

  15. Robert Says:

    The irony is that the longer you do this the more cool stuff you’ll learn and won’t be able to speak about. This is why cgisecurity hasn’t been as updated as I’d like as life/work/other projects have kept coming up.

    Welcome to the world of becoming an Infosec Sellout! j/k

    - Robert
    http://www.cgisecurity.com/

  16. Spider Says:

    Its not just you, it seems like there has been less and less new stuff coming out of the web application security community. So, my questions, which you should be able to answer, are thus:

    Are there less new categories and types of vulnerabilities being discovered, or are those that discover them prevented from speaking out about them?

    Or does most of your work consist of finding new combinations of existing vulnerabilities in your clients applications?

  17. Marcin Says:

    @Spider, the web application security community has shifted to a newer round of folks. Just look around, and you’re bound to come across others who are just as good or better.

    @RSnake, thanks for blogging all this time. Hope you don’t let money and vendors impair your judgment and prevent you from educating others. Good luck.

  18. Matt Presson Says:

    Sorry to hear this, but it has been great reading nonetheless. Hope you will still frequent the conference circuit, and continue to create great contests like the XSS worm contest.

  19. Jon A. Longoria Says:

    @RSnake

    Robert, I can totally comprehend your anxiety with having your hands bound in this regard. Its too ironic how we’ve been assimilated into the uncanny positions we’re in as I too suffer from the same privacy ailment with regard to private sector and .gov/.mil binding agreements. I decry your statement that the security trend has worsened as the gospel itself and thankfully many fine minds have taken notice and taken it seriously to attempt to root out the problem(s) - unfortunately, in my eyes it is a Pandora’s box, one of which will not be contained, either by ineffectual resource/personnel allocations and efforts to moderate it or by corporate greed to cash in on the security-scare thats been cultivated in under a decade, in tune with the idea that we’re living in the times of our own electronic ‘Cold-War’, but instead of nuclear strikes, we’re concerned with the decimation of our monetary portfolios or archival data and assaults by counter-operative governments compromising national technology infrastructures.

    After so many years of us having an open conversation, I’m depressed that there are so many things I can’t be open about. One of the would-be contributors, Phill, to theReformed couldn’t be apart of the effort for this very reason since it is an inherent conflict-of-interest and we had to give farewell to another contributor, a good friend of yours and mine, who felt compelled to depart because of an article’s content that HAD to be published under full-disclosure. We’re lucky though to have other contributors that aren’t and we’re seeking out both types moreso everyday to provide umbrella coverage in this regard.

    Because of the potentially licit complications, I find myself searching for hours on how to expel a topic in my discourse without tripping over a NDA. This has greatly limited my authorship on content and I’ve had to adapt my contributions to moreover trend analysis and market research rather than effectual, explicate instructions on target compromise and solutions thereof.

    As always, I appreciate your contributions to this industry that has been cultivated. I hope to be in your area for a visit sometime this year and would like to get up with you for lunch.

  20. SethF Says:

    Bitter-sweet! I am happy for you :) While some might say this is an end of an era, I consider it more of a pause. I highly doubt you will remain silent for too long and am looking forward to checking out this new book!

  21. Mephisto Says:

    I completely agree, the more privileged information you gain access to, the more restrictions are placed on you about sharing that information. Being security professionals (most of us) are bound by the ethics of the industry, especially when dealing with confidential client information, system architecture, etc…

    It used to be fun talking about how to exploit vulnerablity A or bypass some type of validation…now it’s just work! :)

  22. malkav Says:

    probably one of the biggest problem within the security industry. RSnake idea of a NDAed meeting looks like the only solution though. with 7 as a sysop/syseng i signed, what, 2 NDAs ? 3 ?
    3 three month as an independent security contractor, i already signed 12. on 4 different clients. come on. that’s three NDA/client (in fact, two made me signed one. one made me sign 2. one made me sign 8…)

    how come we can progress if we cannot communicate ?