Penetrate Yourself

June 28, 2012

If, as a developer, you care about security, you need to be constantly running pentests against your own code. Constantly – and I’m not talking about buying an off the shelf tool that will do the scanning for you. Those are important, but they’re something that QA or Operations can use to cross-check your work. What I mean is good, old fashioned, trying to break into the software you just wrote. This shouldn’t be too hard, you wrote it! You know where you usually slack off, so you’re in the best position to find vulnerabilities in your own code.

The reason this doesn’t happen – at all, really – is that engineers don’t know how to do penetration tests. I don’t know why, it’s a load of fun! Sure, those are the same skills that could get you landed in prison, but if you’re going to defend against hackers, you better learn to think like one. It takes a thief to catch a thief. Most engineers write software as if they’re living in a log cabin on the top of a mountain in a desolate region of the planet. Who would ever want to break into my stuff? It’s such a good neighborhood! The reality is that your software will be running on the Internet, and the Internet is the seediest part of town with crackheads looking in through your windows, looking for stuff to steal.

When it comes to security, it’s all defense. They say you can’t win a war playing defense, but you can tire out and demoralize the enemy. Every time they make a coordinated attack and get nothing, you’ve wasted their time and (if you were paying attention) learned about their methods, which then allows you to shore up your defense for the next time. Security isn’t about a one-time process that happens a few days before a release, it’s constant vigilance. They can hit and miss; you only need to miss once. If that stresses you out, then you’re starting to get into the right mindset. At least at the end of the day, by running constant pentests against your own work, you’ve done the best you can to bar the doors and windows. It may not be enough if an army comes knocking at your door, but it will at least keep the crackheads out.


I would like to point out that if we work together today, or have in the past, my opinions may or may not have been influenced by working with you. Most likely they have been, but I have to say that to avoid offending people. You're so vain. I bet you think this site is about you.