Are hackers ahead of IT security? Why the balance between two parties of hackers and security folks (it is hard to consider them a Community!) has been lost for a long time? What made a big gap when there was not such a huge difference in 90’s?
Many factors are involved: knowledge, intelligence, team work with genuine sense of community, operation outcome (destructive vs constructive), originality of source code… but I have noticed there is only one effective factor as significant driver, something that takes hackers’ community to a totally different level of control, and changes the balance between Jedi and Sith forever: Commitment! Hackers are simply more committed to do the job!
We send our top IT talents to learn hands-on hacking techniques, IT administration to deep dive into dark web, and all company crews to learn security essentials, and still it takes one man to bring the entire company tech down to knees, all because the mechanic of hacking is blurry to typical IT guru. Here is an analogy to human body:
…it is like consuming more and more vitamins and hope to have a healthier cells physiologically, while body is creating cancerous cells…
…put more complex firewall rules when internal setup of nodes is initially vulnerable…setup more and more security tools while setting up more and more insecure nodes at the same time…
Software with every piece of code is the foundation of any modern computerized system (basic ha?) and that’s where we have problem: creating vulnerable code at the first place, and that’s where “Commitment” comes to equation: software community wants to release, in rush, with limited to zero knowledge of security, dealing with very high-level and complex API, no test, immature or illogical software development process, no code review…but hackers are committed to review developers code for them, and they find those cancerous cells inside body of the software! And even worse, while hackers are committed to find and Exploit those software flaws, developers are committed to release newer versions with more focus on functionality rather than fixing the foundation. No doubt it is tedious and sometimes impossible, because if the flaw is within the design, there is no time for developer to step back and fix something natively insecure, to the point that sometimes developers prefer to completely leave the insecure code behind and go for a brand new baby code, where they fall into same illogical development process, or even they may use some boilerplate codes from previous practice (more likely insecure artifacts).
Code Review is the best way to get ahead of hackers and of course that’s software developers’ mission to culturize and popularize the practice in earliest stage of coding, and for IT administration, they need to fully understand the mechanic of software they are using. Remember that today’s IT crew are more like software operators, so it is reasonable to have operators fully aware of the machine they are driving.
a Cyberspace entrepreneur with more than 30 years of experience in different fields of Computer Science.