It’s a natural reaction. You receive a security test report only to find that there are security issues with your system. You immediately start plotting ways to cover them up, smooth them over, and remove them from record. Stop!
Every security consultant has experienced this reaction and every security consultant worth a damn has told their client that it’s okay. Just like functional bugs, security issues are a fact, a certainty of complex software, and the best way to deal with them is out in the open.
It’s not your fault
As the person responsible for a system, whether management, operations, development or testing, it’s easy to be defensive and shift blame. The reality is it’s almost never important whose fault a security issue is, and even when it is, it’s unlikely to be your fault alone. And even then, it’s just not productive.
In general the root cause of poor security is not an inept individual but an inept industry. Business leaders struggle prioritizing security, our education system barely recognizes it, and few people have real world experience. Don’t take it personally. Find the cause and fix it. Forget the blame. It will only be your fault next time if you don’t learn from this time.
Security issues are good
All complex systems have security issues. Anyone who tells your otherwise is wrong.
If you accept this assertion, then you should also accept that identifying security issues is always good thing. You’re not trying to get to zero, you’re just trying to get as close to possible. If there’s more bugs, then every time you identify a new one, you’re meeting your objective. On the flip side, no one can ever ask why it was there in the first place – it just was.
Interestingly, given the state of Information Security, every time you perform a security test and identify no issues, is a time to step back and consider why. Was it the right kind of testing? Was the right thing tested? Were the right people testing it?
Fixed is better than not existent
Businesses and the general public are catching on that security is a tough problem, and security incidents will happen. In today’s world, it’s not claiming perfect security that differentiates a good performer, but how they handle inevitable security problems.
Think of security vulnerabilities as a way to demonstrate constant improvement and dedication. You can’t show improvement if you pretend you’re perfect.
Openness reduces risk
Security vulnerabilities have a strange way of being compounded and linked together, a strange way of re-occurring even after being fixed, and way of affecting other things in ways we could never predict.
Every issue that’s removed from a report, that’s removed from record, is an issue that will never help someone solve a problem. But worse, it is an issue that will never help anyone even know there is a a security problem.
So document everything, the good and the bad. Keep all of the findings in your reports and give people access. You’re only increasing your risk if you don’t.
Let’s be friends
So next time you perform security testing don’t be afraid of the tester or the report. Get nice and cozy and bleed them for information. Ask for all the issues – big and small, current and potential.
And if anyone hassles you for “poor performance” in security testing, send them here. :)