The Security Genome - Understanding How People Find Security Bugs
I think I may buy shares in Wired. I seem to plug it every month when I read articles of interest that spark my imagination. After reading the Web War One article I was engrossed by the Halo 3 story. Just yesterday I had a conversation with someone about the sophistication of games versus the relative un-sophistication of security. I think the security industry has a great deal to learn from the games industry in terms of user experience, technology and the process of software creation. Where’s the AI, amazing user experiences, social networking and wisdom of crowds?
Bungie Studios (makers of Halo) hired a psychology graduate who has built a lab to understand how people use games. What parts do they struggle with, find challenging, find easy? Where do people die, what do they miss, which weapons do they like and so on. Among the research techniques shown in the article is a heat map showing snapshots of locations every five seconds. It can be superimposed with kills, game events and other key criteria helpful in understanding the gaming experience. From this designers can refine and learn what makes people “tick” and make them “tick” more often and harder.
Its this kind of sophistication and modern thinking that excites me about bug hunting. I have had the privilege to watch many security consultants test over the years. Nathan Myrvold (the old CTO of MSFT) is quoted as saying that a good software developer doesn’t produce 10x the amount of code but 10,000x that of an average developer. I think the same is true of security and bug hunters. I am not talking about “a n other” XSS bug but complex design flaws and serious implementation bugs that are the result of complex interrelated implementation decisions. Really good people (and you know who you are) can find a far greater proportion of bugs in a far shorter time than you may extrapolate from a linear intellect curve. Do they think harder or have a natural gift for making security decisions? I think the later, also a topic of a good dinner conversation.
What I don’t have is proof of this to look at, learn from and help people apply the same thought patterns to improve detection rates. Where do these security gamers go first, what are their repetitive patterns and how could others learn from their techniques? Heats maps of code sliced and diced by functionality mashed up with vulnerability types and detection complexity….and so many other ideas. I suspect this would make a great thesis for a psychology student with an interest in security or a security freak with an interest in psychology. I suspect I could find some really good contacts if anyone has an interest in collaborating on a long term project trying to find the security genome!
August 31, 2007 at 2:14 pm
Some people are good at building things, while others are better at breaking things (or taking them apart).
What really matters are the subtle differences between scientists and engineers, criminal mind vs. criminal actions, and what kinds of toys your parents let you play with growing up (I had legos, g.i.joe, electronics/robotics kits, chemistry sets, and computers - while most other kids I knew had basketball courts, bikes, transformers/go-bots, and video games).
I think it’s nice to have a balance in all things now that I’m much older. However, maintaining a safe balance between building and breaking is oxymoronic.
It’s similar to the problem I claimed to have where any certain day was either a good “software day” or a good “hardware day” but never both at once. So the real problem is being able to invoke whichever superpower I need for the day before I wake up.
September 3, 2007 at 10:35 pm
[...] on web security testing tools (written with software security guru Rudolph Araujo). He has the security genome [...]
October 2, 2007 at 9:59 pm
[...] Security Genome Revisited Dave Aitel quoted my Security Genome post on his Daily Dave mailing list and wrote; I would posit that no good hacker works alone. The [...]
October 5, 2007 at 9:47 pm
[...] I have to thank Mark Curphey for let me link this great article called Security [...]
December 10, 2007 at 4:02 am
And when they do isolate the security gene, I predict it will be very near the gene that causes one to eat the entire bag of potato chips. It is a day that will not come soon enough.
December 10, 2007 at 7:00 pm
[...] However, I often fail where it appears that I most succeed. I had a hard time trying to balance building things with breaking things, which made me avoid the security industry like the plague (plus all of the other obnoxious reasons). Sometimes I think that I don’t have the security gene. [...]