Appsec isn’t people

Recently there was a thread on Twitter I stuck my nose into about appsec and why it doesn’t work.

I have a response in there that I believe is a nice way to explain my biggest problem with appsec. I would sum it up as “Appsec isn’t people”. Here is a clever image to help.

appsec-isnt-people

You know you can take it seriously because the text is green.

The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

Humans are never going to write bug free code, this isn’t a controversial subject. Pretending we can somehow teach people to write bug free code would be a monumental waste of time and energy so we don’t even try.

Now it’s time for a logic puzzle. We know that we can’t train humans to write bug free code. All security vulnerabilities are bugs. So we know we can’t train humans to write vulnerability free code. Well, we don’t really know it, we think we can if you look at history. The last twenty years has had an unhealthy obsession with getting humans to change their behaviors to be “more secure”. The only things that have come out of these efforts are 1) nobody likes security people anymore 2) we had to create our own conferences and parties because we don’t get invited to theirs 3) they probably never liked us in the first place.

I imagine a non trivial number of readers are concocting clever responses in their minds explaining why this statement is wrong in every possible way. Feel free to @ me.

But seriously, we’ve been at this for more than twenty years. Things really aren’t much better than they were back at the beginning. Nearly all forward progress has been the result of better tooling and languages and better process for handling security incidents. I’ve yet to see anything that really changes human behavior in a way that creates real progress.

I should mention at this point that I don’t think security training, or any training, for humans is a bad thing. Awareness is a big deal and it’s important. Training is also useful to learn new skills and ideas. As a professional we should never stop learning, it’s the most important thing we can do.

What I’m saying is that training won’t change behavior at scale. Humans will continue to human even after training, ESPECIALLY after training they didn’t want to take.

The future of appsec has to be technology. Automated tools that can detect vulnerable components. Languages that don’t suffer from memory corruption. Frameworks that make cross site scripting impossible. Operating system hardening. Those are the things that have created real change in the last two decades.

Yelling at people to be more secure never worked. It will never work.