NB: idle stream-of-consciousness rambling follows
For a long time, those of us in infosec have mused on the value of attacking versus protecting: breaking and building, cracking and hacking, red team and blue team, offense and defense. I suspect the general problem goes back to ancient military thinkers, but that lies way outside my scope and I’ve never actually read all of The Art of War (though I did read The Prince).
Basically, lots of folks like to blow things up. That might mean finding a cool way to smash a stack or inject SQL, or it might mean finding a $2 trillion mistake in a financial analysis, or it might mean turning somebody’s Internet spaceship pixels into Internet debris pixels. Mudge says it takes 100 lines to write a piece of malware that takes 100k lines of technology to detect and prevent.
I can’t possibly deny the value of proper testing, including finding cool new ways to slip past defenses. Infosec requires that we think like bad guys, and in reality we’re all bad guys to someone or other (props to Richard Thieme). But I’d like to see us start to attach some “cool factor” to nice defensive hacks. Martin Roesch et al. did some really cool stuff with Snort, and Lance Spitzner’s early work on system hardening influenced me tremendously over a decade ago. Let’s not forget ModSecurity, either: a particularly under-appreciated bit of work. Everyone working on the defensive side has their own examples.
Pointing out flaws is insufficient. A friend and colleague used to tell his staff when they’d complain, “I understand the problem, but what are you doing to help me fix it?” He didn’t expect them to bring the One True Answer (as if that even existed), but he did want them to show they’d put some thought into understanding how to fix things. Belly-aching doesn’t actually do that much good.