I get the feeling that the title of this week’s blog might get a few peoples attention for the wrong reasons! The KISS I’m talking about giving to information security is the KISS principle:
Keep It Short and Simple (or Keep It Simple Stupid)
I read whitepapers and view presentations on a daily basis which detail new types of vulnerabilities and I always wonder why most of these whitepapers and presentations fail to follow the KISS principle. I’d bet that most people involved in information security, systems administration or application development don’t care about the intricate details of these vulnerabilities. They only want to know one thing; “What do I need to do to prevent this”. These people don’t need to know how to exploit the flaws to prevent them in my opinion. Despite this the information security community tends to focus more on the “how to exploit” than the “how to prevent”.
I have a lot of respect for the security professionals who find and publish new types of vulnerabilities such as Meta-Information Cross Site Scripting but I think we need to start focusing more on the root cause of these vulnerabilities instead of different ways to exploit the same old flaws. This is something I have been trying to encourage people to do for over a year now, stop looking at the details of every type of vulnerability and focus on the things you need to do to prevent them occurring in the first place. Information security isn’t rocket science but even if it were there is no excuse for making this more complicated than it needs to be. The KISS acronym was first coined by Clarence Johnson who realised the importance of KISS principle in military aircraft design. The “make things simple and easy” approach was also followed and encouraged by the likes of Albert Einstein and Leanardo Da Vinci. I think the Albert Einsteins and Leanardo Da Vincis of the information security community need to do the same.
I mentioned a new vulnerability type that has been published this week (Meta-Information Cross Site Scripting) which is interesting to read about but is exploiting the same old input and output validation flaws we have been discussing for many years now. Whether we look at Reflected Cross Site Scripting, Persistent Cross Site Scripting or Meta-Information Cross Site Scripting the root cause is the same – a lack of input and/or output validation.
The information security community should look to apply practices such as Failure or Systems Based Root Cause Analysis used in engineering to information security vulnerability research. The general principles and approach to documenting corrective actions in root cause analysis should be applied to information security vulnerabilities. This would allow us to identify the root cause of vulnerabilities and produce a KISS friendly solution which should prevent the vulnerability occurring/re-occurring in future.
If every security professional spent the same amount of time educating people on the root causes of common vulnerabilities as we do trying to break things I think we would see people producing more secure systems and applications. This kind of approach is starting to get some traction with projects such as our own Principles of Secure Development and the Rugged Software initiative but we still have a lot of work to do before we see training course providers, conference selection panels and security professionals talking more about how to do things securely instead of what hackers might/could do.
I must say that some conferences do embrace the “how to prevent” approach with open arms. I have spoken at three conferences about this approach so far and I’d like to mention them here:
As always I look forward to hearing any feedback from the readers of this blog so please get in touch by leaving a comment, sending me a message on Twitter or by sending me an email.