What We Learn from the Heartbleed Bug - 3/3
So You Want Perfection on a Shoe String Budget??
In my two previous posts (this post, and that post) I elaborated about the Heartbleed Bug, how it turned out that we had security issues in the components we most rely upon. This happened despite the software being security-critical, open source, and supposedly being tested by thousands of experts for free.
We all want to check if our systems are secure. And if you don't test, you definetly won't find any security issues. Just remember that others may find your vulnerabilities for you, whether you like it or not. Ergo: sensitive systems need to be tested for security vulnerabilities. Machines are quite good for testing, since they work around the clock and don't even take vacations. But there are indeed cases when only human beings can deliver results.
But humans act under two big, bad constraints: the budget and the deadline. Every hour costs money. And there is a date when the tests need to be finshed. And the client wants to be secure...
- We paid for the security tests and you accepted the assignment, didn't you? So why did we get hacked?
- Well, the budget didn't allow us to do that much work. With a double amount of hours available, we would have had time to investigate that vulnerable software module better.
Are Experts Worth Their Premium Fees?
Maybe the question should be phrased less provocatively: are the top experts always the best choice? My expert security test colleagues are going to kill me for writing this, but the answer is often "no". I will probably have to sit alone for the next afterwork beer.
But it is a fact: the security test business has become increasingly commoditized. The IT security test industry is so large today that there is a flourishing industry that creates security test software. 20 years ago, the penetration testers needed to write their own tools and maintain their own "bag of tricks".
Today every "pen tester" uses a selection of the ready-made tools available. Canvas. Metasploit. Backtrack. Kali. Qualys. Nessus. OpenVAS. Core Impact. And the rest of them. And the experts - I mean the top 10 experts of the world - they use these tools too.
And the funny thing is: when the world champion of IT security "white hat penetration tests" audits a web server, he/she may find 20 security vulnerabilities. And any average security consultant, using the same tools, may find 18.
An Unexpected Quality Indicator
In a world of limitless resources and an absence of deadlines, all you have to do is finding the best expert in the world and pay whatever fees requested. If you don't live in that world, take this advise: go for the bidder with the lowest hourly fees that still is capable of doing the assignment.
They will be able to put more work into the project, and they will have access to the same tools as their competitors.
My security colleagues, true experts both within Cybercom and within the local Swedish competition, will probably hate me for this blog post. On the other hand, my colleagues in eastern Europe have few rivals anywhere in this line of business - and they have already started to change the market here in Sweden. They get about 50% extra hours out of any client budget.
Swedish IT security testers will have a tough time ahead as more clients understand the wisdom of selecting the consultants with the lowest hourly fees. Let's not kid ourselves, believing that this competence only exist in our local marketplace.
The hackers come from eastern Europe, right? Well, there are good guys there as well!
Just emember, the more hours you can put into the test, the more vulnerabilities you will find. And your security test budget has a limit.
OK, So What is the Third Lesson of the Heartbleed Bug?
There may be security vulnerabilities in your precious e-commerce site, or whatever you want to protect, that are not in the core scope of your current security testing. Maybe you want to expand the testing scope, but you have problems increasing your budget.
There are solutions to that dilemma. Just do the math.