The divide between developers and hackers is real. So, apparently, is the effort to bring them together and make them play nicely.
“It’s not just a knowledge gap, but an empathy gap,” said I Am The Cavalry founder Josh Corman during a panel discussion at last week’s RSA Conference. “One common thing between the two is that [hackers] are not the most soft-skilled, organically huggy group. But we’re fixing it.”
The panel brought together Corman, hacker Rob Graham of Errata Security ,and developer and Fuzzy.io CTO Evan Prodromou. It also demonstrated that some of the same old wounds and misunderstandings between makers and breakers still exist.
Graham—one who is certainly not shy on opinions—expressed his frustration with developers who, for example, will hardcode a backdoor password into their apps thinking no one will find it.
“Then along comes a 13-year-old who runs all the strings on your binary and uses them as a password to log in,” Graham said. “There’s this boundary developers have, and they think it’s theoretical and no one will figure it out. And sometimes it’s true, but it’s also the biggest failure that me as a breaker is exploiting.”
Prodromou said there are similar perceptions and misconceptions on both sides.
“For people who are developing software, there is an idea that security people are borderline criminals or there are criminally avaricious consultants just out there trying to get money out of you.”
In between is Corman, a vocal proponent of DevOps who is concerned about the security of connected devices and the inevitable impact that vulnerabilities in automobiles, medical devices and other things running embedded, connected computers will have on physical safety. Poor relationships between developers and security researchers cannot be a barrier any longer, he said.
“We need [researchers]. This is about the rise of the ambassador class, and being the voice of reason,” Corman said. “It’s time to see the value of the breaker community and connect dots in ways that are less threatening.”
Things weren’t all gloom and doom. The panelists did concede that things such as vulnerability disclosure processes and bug bounties have opened lines of communication that did not exist 10-15 years ago, when, as Corman pointed out, Microsoft was sending cease-and-desist letters to hackers like Graham.
“Unless a company is prepared for it, [disclosure] hardly ever goes right,” Graham said. “If a company has no process in place, they create it on the fly to deal with this one bug, and whether it goes well is hit or miss. These days it’s increasingly standard for advanced companies to have a coordinated disclosure program or a bounty that handles these things.”
Corman encourages companies to put out a “welcome mat” for white hats, and pointed to General Motors’ recently announced bounty program which promised nothing more than not to sue researchers who find vulnerabilities.
“In seven days, GM had triple-digit submissions, and a double-digit number that were not known to them and were serious,” Corman said. “They fixed three in one week. Who thinks those bugs were found in just one business week? Anyone? They were availed the ability to something about it before it was attacked by having a welcome mat out.”