An Artist and his tools

I ask you, what does a security analyst have in common with Picasso, Shakespeare, and Mozart? You are probably asking yourself how one could begin to make such a connection. The connection, they are all artists with different mediums. Picasso had his paints; Shakespeare had the stage; Mozart his violin and piano; and the security tester his experience and knowledge.

While Science plays a critical role in the world of Information Security, it is strongly complemented by Art. Merriam-Webster defines Art multiple ways; I personally like the following two meanings:

1. A skill acquired by experience, study, or observation 2. The conscious use of skill and creative imagination especially in the production of aesthetic objects;

For this posting I ask you to think of findings from a penetration test or a web application test as aesthetic objects. While science helped us to discover the [potentially] vulnerable variable, or those open ports, it’s art that determines the real risk and validity of the finding, as well as uncovering their hidden meanings.

Take the following very simple example. We have a web application whose URL is www.mybadapplication.com. Using an automated web scanner (i.e. Science), we scan the web application. The scanner returns us a list of parameters that are used within the application. One of the variables is “admin” and is found as a get parameter (www.mybadapplication.com/?admin=false). To the automated scanner this is just another variable, to the security analyst (or artist) this variable is much more interesting. An artist is going to immediately change false to true and evaluate the response, whereas the automated scanner only lists the variable and flags no risk.

Let’s now assume that our scanner returned a finding of SQL injection. Almost every set of tools I have worked with rates SQL injection as a Critical or High finding. I don’t necessarily disagree with this rating, SQL injection can lead to serious compromise. But is the finding valid? Many of the tools out there go to great lengths to validate findings, but their automated actions are far from perfect. Once again our artist will work to determine whether this finding is a false positive, and if not, he will determine what risk it presents to the organization.

The interpretation of the finding, just like art, is derived from many influences. The security analyst has multiple factors to consider when determining a finding’s risk – how likely is it to be discovered, are there known exploits in the wild, what is the technical skill level to perform the exploit, or what is the impact to the organization?

If you ask two different critics to interpret the same piece of art, chances are you will get two different points of view. Similarly, the same finding at different organizations may have a different set of risk. Factors such as type of industry (Financial, Medical, Government, etc), impact to organization, and even public relations play a significant role in our interpretations.

It is a true artist who is conscious of this, can think out of-the-box, and can be creative to provide their client actionable and value-add results.

Can the science exist without the artist? Yes, but I have seen many automated reports shoved in front of developers only to be thrown away by the developer because it was filled with false positives and meaningless data. I believe the two ideas complement each other and neither one is not as powerful without the other.

15 replies
  1. tinyurl.com
    tinyurl.com says:

    Hello this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you
    have to manually code with HTML. I’m starting a blog soon but have no coding
    knowledge so I wanted to get guidance from someone with experience.
    Any help would be enormously appreciated!

  2. where coconut oil
    where coconut oil says:

    I simply couldn’t leave your website prior to suggesting that I extremely enjoyed
    the usual info an individual provide to
    your guests? Is gonna be again often to investigate
    cross-check new posts

  3. ps4 games
    ps4 games says:

    Pretty great post. I just stumbled upon your weblog and wanted to mention that I have
    really enjoyed surfing around your weblog posts. In any case I will be subscribing
    for your rss feed and I am hoping you write again very soon!

  4. quest bars cheap
    quest bars cheap says:

    What i do not understood is actually how you are not really a lot more neatly-liked than you may be right
    now. You are very intelligent. You already know thus significantly in relation to this topic,
    produced me for my part consider it from a lot of varied angles.
    Its like men and women aren’t involved except it’s something to do with Lady gaga!

    Your own stuffs outstanding. All the time take care of
    it up!

  5. ps4 games
    ps4 games says:

    Good post. I learn something totally new and challenging on blogs I stumbleupon on a daily basis.
    It will always be useful to read through articles from other writers and use something from other web sites.

  6. ps4 games
    ps4 games says:

    Hmm is anyone else having problems with the pictures on this blog loading?
    I’m trying to determine if its a problem on my end or if it’s the
    blog. Any feed-back would be greatly appreciated.

  7. quest bars cheap
    quest bars cheap says:

    I’m really enjoying the design and layout of your
    website. It’s a very easy on the eyes which makes it
    much more pleasant for me to come here and visit more often. Did you
    hire out a developer to create your theme?
    Outstanding work!

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.