Why security testing will always be necessary – part 1
Dawid Balut, TestArmy Cyber Security Director’s column, part one.
Why will the security testers’ work always be equally important? What is the future of IT security industry? What influence on our Cyber Security Director’s opinion on this matter had his beginnings in the business? Dawid Balut answers all of these questions in the first part of his essay.
An experienced pentester and Bug Hunter who joined the defensive side of the force and for over half a decade worked as a Security Architect for several Silicon Valley corporations. Nowadays, he builds security systems, trains employees and automates all security processes.
I started my IT world adventure from the lowest positions. Years ago I worked as a computer technician, network guy, coder, system administrator and finally I started delving into the security related issues.
Still as a programmer, I developed as an offensive security tester and reported security bugs to hundreds of companies – both popular, foreign giants as well as large Polish firms. It was all in times when Bug Bounty programs were not a thing yet and just a couple of the biggest corporations had some tiny researcher reward systems.
Even though it took some years before I finally started working in the security industry, I do not regret the time spent on my previous positions. Going through such a long way provided me with a lot of priceless experiences, thanks to which my perspective is now much wider. I understand the problems which employees on different positions have to deal with and by taking them into consideration, I can make more beneficial decisions for the companies and teams I cooperate with.
The long way gives not only more context, but also teaches us humbleness and all about the hardships of work on different positions. Seeing how complicated the software production and maintenance processes are, we can distance ourselves from the problems and tone down our comments about the found bugs.
The security industry needs patient professionals, who can keep in mind the context specific for each company and cooperate with others without harsh comments more than ever. We need leaders, who can build and promote the security culture in their companies.
I spent the following years as a pentester, but my belief about the lack of importance of what we did kept the same. Each few months I met with the same errors appearing as regressions, I kept finding exactly the same vulnerabilities in new pieces of code and the world was not becoming any safer. Up to this day, cliched XSS bugs are being found in applications produced by companies such as Microsoft and Apple. Pentesting and bug hunting just do not scale.
Even though pentesting is an important occupation and penetration tests are a critical element of all security programs themselves, for me, it was a questionable career path, if I wanted to change the global status quo. And the status quo was a slow and arduous improvement of the security measures and wasting money on low ROI investments.
I decided to join a multi-million dollar, American corporation in the security industry, then. As an internal security engineer, later promoted to a main security architect, I was responsible for building the security from scratch. My main goal was to focus not only on searching for the vulnerabilities, but most importantly, to prevent them from even appearing. In the meantime, I kept helping other companies and specialists to secure their organizations from the inside and increase their pentests’ and Bug Bounties’ ROI.
Cooperation with the security teams from dozens of companies was a confrontation with sad, grey reality for me.
Since I decided to focus on something else than pentesting 5 years have passed and by observing the course of events in the industry, my belief that I overestimated the companies’ ability to implement pragmatic, comprehensive security processes became much stronger. Just a few years ago, when I thought that silly bugs in security would soon be just a blast from the past, I decided to focus on something greater, believing that many companies would follow and most of them would reach a sensible level of security soon.
It appeared, however, that the sector I had just left had its best years ahead. Pentests, bug bounty programs and everything related to the offensive approach to security became more popular than ever. Despite the large investments in such activities, many companies are still lacking in terms of safety measurements and the pentesters keep discovering identical errors over and over again. Most of these errors should not even exist in 2018 and the companies waste hundreds of thousands of dollars on badly managed bug bounty programs.
Seeing how disappointing the current state of global IT security is, I decided to join TestArmy in order to add my own contribution to improving the state of issues I believed could soon be resolved organically. I want to use my experience to help in reaching a higher ROI in security. We have a lot of shiny and pretty toys, however many of the initiatives undertaken by companies are not as effective, as they can and should be.