This article covers some ways I’ve gotten security bugs fixed inside a company.
Finding bugs is a technical problem, fixing them is a human problem.
Finding bugs: Exciting.
Fixing those bugs: Not exciting.
The thing is, the finish line for our job in security is getting bugs fixed¹, not just found and filed. Doing this effectively is not a technology problem. It is a communications, organizational² and psychology problem.
A decade ago on the Microsoft vista pentest we³ found some bugs. Then as we worked to get those bugs fixed we got a lot of excuses back: “but that would be illegal”, “just a denial of service”, “ but its a perf hit”, “but the victim would have to click on it”. …
It appears the Equifax breach hinged on an unupdated Apache Struts vulnerability. Lots of security people are talking about lots of different dimensions of this breach but one portion is the (in)secure use of 3rd party code. The security of 3rd party code is an area of application security that doesn’t get much attention so I want to highlight it.
Reasonable engineers rely on the work of others. This work comes from other parts of the company, the open source community or a commercial product. …
A concept sometimes used in Silicon Valley to describe an engineer that is 10x more productive than an average engineer although the 10x metric is figurative.
10x or not there are definitely patterns in how strong engineers approach their work and career. Generalizing these patterns into lessons illuminates how to be a better engineer, and employee.
This draws from my experience as an programmer, team lead, manager and manager of managers.
This is the bedrock of you as an employee. Be careful when you say yes to something because you must now see it through to completion. …