I ask you, what does a security analyst have in common with Picasso, Shakespeare, and Mozart? You are probably asking yourself how one could begin to make such a connection. The connection, they are all artists with different mediums. Picasso had his paints; Shakespeare had the stage; Mozart his violin and piano; and the security tester his experience and knowledge.
While Science plays a critical role in the world of Information Security, it is strongly complemented by Art. Merriam-Webster defines Art multiple ways; I personally like the following two meanings:
1. A skill acquired by experience, study, or observation 2. The conscious use of skill and creative imagination especially in the production of aesthetic objects;
For this posting I ask you to think of findings from a penetration test or a web application test as aesthetic objects. While science helped us to discover the [potentially] vulnerable variable, or those open ports, it’s art that determines the real risk and validity of the finding, as well as uncovering their hidden meanings.
Take the following very simple example. We have a web application whose URL is www.mybadapplication.com. Using an automated web scanner (i.e. Science), we scan the web application. The scanner returns us a list of parameters that are used within the application. One of the variables is “admin” and is found as a get parameter (www.mybadapplication.com/?admin=false). To the automated scanner this is just another variable, to the security analyst (or artist) this variable is much more interesting. An artist is going to immediately change false to true and evaluate the response, whereas the automated scanner only lists the variable and flags no risk.
Let’s now assume that our scanner returned a finding of SQL injection. Almost every set of tools I have worked with rates SQL injection as a Critical or High finding. I don’t necessarily disagree with this rating, SQL injection can lead to serious compromise. But is the finding valid? Many of the tools out there go to great lengths to validate findings, but their automated actions are far from perfect. Once again our artist will work to determine whether this finding is a false positive, and if not, he will determine what risk it presents to the organization.
The interpretation of the finding, just like art, is derived from many influences. The security analyst has multiple factors to consider when determining a finding’s risk – how likely is it to be discovered, are there known exploits in the wild, what is the technical skill level to perform the exploit, or what is the impact to the organization?
If you ask two different critics to interpret the same piece of art, chances are you will get two different points of view. Similarly, the same finding at different organizations may have a different set of risk. Factors such as type of industry (Financial, Medical, Government, etc), impact to organization, and even public relations play a significant role in our interpretations.
It is a true artist who is conscious of this, can think out of-the-box, and can be creative to provide their client actionable and value-add results.
Can the science exist without the artist? Yes, but I have seen many automated reports shoved in front of developers only to be thrown away by the developer because it was filled with false positives and meaningless data. I believe the two ideas complement each other and neither one is not as powerful without the other.