Wednesday, 10 October 2012

Note to vendors, engage AppSec community (and if you write your app in .NET there is nowhere to hide)

It always amazes me how much 'precious' vendors are of their 'amazing technologic' advances.

They are always so afraid of us 'the security researchers' that we will just 'use their product', and reverse engineer it, and make a lot of money with it, and blah, blah, blah (see post Providing licenses to security consultants )

If you are a vendor and don't share or push-as-mad your tool/service/technology with Application Security professionals (like me), here are a couple comments for you:

  • you are stupid - sorry I could probably say this in a more politically correct way, but its early and I'm on the first coffee
  • you are missing out your most important community - yes we
    • are hard to deal with, 
    • have strong opinions, 
    • already have a strong tool set, 
    • think that you don't have a clue (not all of you :)  ),
    • are hard convince
    • usually know more about what you are trying to do than you
    • are a factor factor of the success of your product 
  • I'm the stupid one, if I use your evaluation version in a commercial (paid) engagement - that would be breaking the license/law, it would be morally wrong, and (when found out) would put me (the professional) in a very bad light
  • if your product does work 'the way you think it does', don't worry, companies will pay it - since the ROI is obvious 
  • and if your product does work well (see above), don't you think that I would be the first one to push it - after all my skills are still needed to make sense of it all and to put it into context for the client (see next point)
  • if you see us (AppSec professionals) as competitors, you are also stupid - since the whole "hey don't buy/hire their services, just buy our tool/service and you will fine" logic is so broken that only short-term strategists can make sense of it. See this post Security Tool's vendor "No need for Doctors" for a analogy of this topic
  • on the topic of reverse engineering your tool:  
    • its not because we can that we will
    • yes most of your DRM and License protections suck, but breaking them would actually be a complement to you (see piracy links below), since it would mean that we would care enough to break it
    • technically breaking your DRM and License is illegal and we would be stupid to do it
    • and btw, if you write apps in .NET, there is nowhere to hide
      • if go down the obfuscation route, you will create more problems for you (and QA team) and will also send a clear sign that you "dont want to dance"
  • on the topic of adding / fixing features to Windows .NET apps
    • In case you haven't noticed but due to .NET reflection there is nothing that can't be invoked (i.e. no such thing as private methods)
    • Add to that the really good support for Windows Gui automation and there nothing that can't really be scripted and automated
    • Now, in the O2 Platform, I happen to make this process really, really easy (for one of the ways look at this Video: Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes) and am now for example able to improve and add features to existing 'closed products' (look for example what I'm doing with Cat.NET: Reaching out to Microsoft regarding CAT.NET )
    • This means that I can now add new features to your product, I can fix things, I can make it do what I (and your customer) really wants it to do.
    • And is that a BAD thing?
      • You don't want me to help you understand how to best use your product?
      • You don't want me to fix your product?
      • You don't want me to give you more reasons for  your customers to buy your product?
      • You don't want me to give my customers security automations that uses your product? (where they need to buy a license/service to use it in the future)
  • on the topic of asking Application Security professionals to sign NDAs before using/trying your tools/services
    • I have strong two words to say to that (FY), but I had had my coffee by now, so I will be more gentle:
      • No and No :)
    • This is a topic long enough for another post, but this is another idea that is so wrong from a 'Business point of view' that I don't get it. Also from a technical point of view, it is very hard to copy and steal other ideas. We are all standing in the shoulders of giants, and all our work is inspired by others.
      • (memory lane: on the Ounce days I wrote a really nice/long internal email on the topic of 'Why NDAs are stupid', but since I wasn't blogging like this back then, I've lost it!!. I hate 'locked up and non-hyperlinked data', it's so inefficient to have to write/thing about the same thing over and over)
  • And if you make it this far (and spent some TIME reading this), always remember that the most important asset that the AppSec professionals have (that you want to grab) is TIME
    • You should measure your outreach effectiveness and success by how much TIME is spent on your product/service (and how many public posts are made about it)
    • Anything that you can do to make it easier and faster to use your product/service will make a massive difference
    • Since TIME is very limited and so is attention span, don't be afraid to go back and ask 'Hey can I do anything to help? Have you tried it? What do you think of it?'
    • And since TIME is a finite amount, remember that any TIME not spent on your product/service is probably TIME spent on your competitors :)
Finally, since most vendors when they hear these arguments only have a word in their head: 'Piracy!!!!' 

I leave you with a thought from Tim O'Reilly in 2002 "Obscurity is a far greater threat to authors and creative artists than piracy." ,  and these guys agree with Tim:
Sorry about this rant, I just have had this conversation far too many times :)