I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.
A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).
Grossman: For me it was…I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don’t know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn’t go to college to be infosec pros, it just kind of happened. They followed opportunity.
BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?
Grossman: It’s tough to give solid advice without knowing more about a person. For instance, are they interested in network security or application security? You can get by in IDS and firewall world and system patching without knowing any code; it’s fairly automated stuff from the product side. But with application security, it is absolutely mandatory that you know how to code and that you know software. So with Cisco gear, it’s much different from the work you do with Adobe software security. Infosec is a really big space, and you’re going to have to pick your niche, because no one is going to be able to bridge those gaps, at least effectively.
BK: So would you say hands-on experience is more important that formal security education and certifications?
Grossman: The question is are people being hired into entry level security positions straight out of school? I think somewhat, but that’s probably still pretty rare. There’s hardly anyone coming out of school with just computer security degrees. There are some, but we’re probably talking in the hundreds. I think the universities are just now within the last 3-5 years getting masters in computer security sciences off the ground. But there are not a lot of students in them.
BK: What do you think is the most important qualification to be successful in the security space, regardless of a person’s background and experience level?
Grossman: The ones who can code almost always [fare] better. Infosec is about scalability, and application security is about scalability. And if you can understand code, you have a better likelihood of being able to understand how to scale your solution. On the defense side, we’re out-manned and outgunned constantly. It’s “us” versus “them,” and I don’t know how many of “them,” there are, but there’s going to be too few of “us “at all times. So whatever your solution is or design criteria, you’re going to have to scale it. For instance, you can imagine Facebook…I’m not sure many security people they have, but…it’s going to be a tiny fraction of a percent of their user base, so they’re going to have to figure out how to scale their solutions so they can protect all those users.
BK: What kind of programming languages do you think are most relevant, useful and applicable to today’s environments?
BK: What’s the best way for people who have already have coding skills to cut their teeth on security work?
Grossman: If they’re at an established organization, they can go to their security department and ask how they can get involved. If they can code, believe me there’s stuff they can do in security to help automate the process. Most every place that has a CSO or IT department where they do some stuff in security, someone interested in this field could ask to take on some projects to start cutting their teeth – code some things and implement things, and start that way. At least for me, I find learning on the job far superior to going back to school or going to get a cert. Just try to start finding areas where you can add value.
BK: I’m guessing you’re not big on certifications?
Grossman: At least in security, I never had one. But I might be an anomaly. A lot of people that have them seem to derive value from them. But I hire people all the time, and I never gave a crap about security certs.
BK: Well, then how do you determine whether someone knows what they’re doing or talking about?
Grossman: I think we’re the exception and not the rule, but we try not to hire security people, because they have bad habits. We prefer to train our own. So we’ll take programmers or computer science students and train them in our way of security. But again, other Fortune 500 companies, I’ve heard CISSPs are mandatory. For good or bad reasons, it is what it is.
Grossman: It seems to be. It’s probably not the only one. But Web security is a subset of all application security, and anything in appsec seems to be hot. Finding 0days, working for governments, things like that…those seem to be pretty interesting, up-and-coming fields. VUPEN is on the record saying they wouldn’t sell their Google chrome 0day for a million dollars, because they’re going to get more money from other governments. And the field of exploit writing and development has gotten a whole lot of PR recently with Stuxnet and Flame and Duqu and all that.
BK: I would think you’d have to be fairly advanced at what you do to play in that field, no?
Grossman: Well, I think if you’re a really good, let’s says C# developer, and you know the guts of ASLR and DEP, I don’t think it’s more than a couple of months past that point to actually understand how to go about finding vulnerabilities and exploiting them. I don’t do that myself, but there are a couple of core technologies that you absolutely must learn to do this stuff.
BK: But if nobody is teaching security and programming securely, how do people — even if they endeavor to grasp something like C# and understand how it’s supposed to be written — how can they be confident of learning it well enough to find the bugs in the security stuff? Or should they be thinking about that from the get-go — to question their own assumptions?
Grossman: What’s interesting is all that all the new 0days that are coming out, none of them are using new techniques. They’re using techniques that are already well known, and then chaining them together. I think it was a 19-year-old kid who won a competition this year at CanSecWest by chaining together [a number of] bugs to make a full bypass in Google Chrome’s security. It only gets difficult when you’re finding a brand-new technique and bringing the industry forward. But if you’re willing to research all the white papers and read about the different ways to manipulate software…it’s only first time that’s hard. The second time is easy. If you’re building the next Stuxnet for the government and you need to find some zero days to do so, you don’t need to break new ground. You just need to use some known techniques in the existing software to find bugs no one else has found yet. And they’re there.
BK: So, focusing on finding zero-day vulnerabilities is a career path you’d recommend in infosec?
Grossman: For better or for worse, ethics or not, this is the future that we’re going to have to deal with infosec. A recent quote resonated with me, by Haroon Meer; he said everyone is one zero-day away from compromise. And if that’s the case, if you take a particular piece of software, whether it’s Flash or IE, ask yourself what does a zero day cost? And that cost is how much money it takes to break into a target, provided they have perfect security today.
BK: What advice would you give to folks who want to get hands-on and learn how to break and fix stuff?
Grossman: It depends on what they want to break, whether it’s web sites or, say, mobile devices. OWASP has something called Webgoat, which is something you can install yourself to practice your hacking skills on. It’s a purposely broken webapp, and you can use it to start learning some tricks. If you want to do some live exploration, there are a number of sites out there that let you safely, legitimately hack them. Google, Facebook, Mozilla, and you can try your hand at it. There are a bunch of them listed at Dan Kaminsky’s site. Some will pay you money if you find and report bugs, and some won’t. But either way, they’re public and they’re legal. They all have bugs, and at it seems like at least one is posted in Google like every week or two.
BK: Well, you know what they say: It’s not what you know but who you know. Any advice for getting to know some security geeks who might one day introduce you to your future boss?
Grossman: That’s easy…go to a security conference. They’re not all expensive. There are at least one or two every week now, all over the world and in just about every country. I think 200-300 days out of the year there’s a security conference going on.
Have you seen:
How To Break Into Security: Schneier Edition…Last month, I published the first in a series of advice columns for people who are interested in learning more about security as a craft or profession. In this second installment, I asked noted cryptographer, author and security rock star Bruce Schneier for his thoughts.