<b>General Melchett: "Security isn't a dirty word, Blackadder ... Ac...

Terrence Miao - 2013-01-20 00:42:23+1100 - Updated: 2013-01-20 00:46:01+1100

General Melchett: "Security isn't a dirty word, Blackadder ... Accountability is a dirty word, but security isn't."

Attend an almost 3 hours long, no cigarrett and toilet break secure development seminar this week at 9:30am best productivity time in a day. The presenter is from one of big four accounting firms. This is NOT a joke, an accountant tells developers how to do IT security.

Honestly to say, I have this Counterphobia syndrome, a phobic for that people wearing a security hat in a fearful situation. I still believe they are people living by breaking into innocent people and government's safe, trouble makers in young age until grow up and finally realise their life could be ended in jail if keep doing so. And one day they all become security experts.

Starting with every attendee has a brief introduction of self, and answer a question "what are your favourite computer languages?"

Actually, think twice, it's a tricky question, especially in a meeting like this, especially when break news that two security holes in Java 7 and SQL injection flaw in Ruby on Rails found a few days ago. If you follow some security experts suggested what you should do is to shutdown all websites running Java and Ruby.

I skip a straight answer but diplomatically reply that it all depends on the project. The presenter persists same question "What are your favourite computer languages?". I can see he is very disappointed after I give him the SAME answer.

Unfortunately, other developers, mainly programming in Java in the meeting room maybe don't know there is maybe a booby trap attached or just too naive and innocent, telling the presenter they like programming in Java, Ruby, Groovy ...

No surprise, after the introduction, the scare campaign comes in.

The presenter acknowledges everyone security alerts in Java then tells people in the whole room Java is becoming next COBOL language, and all Java developers are going to extinct as dinosaurs. He doesn't say you are a stupid although huge Tyrannosaurus Rex, but I know he means it!

Then the endless whinging, rants, self promotion, and sales pitch kick off.

For examples, Google is backing away from GWT because of security concern; new versions of libraries and tools have fewer security defects are usually faster, according to Microsoft? how PayPal token's two factor authentication is not always secure; how you should trust Facebook because it has a better Account Management system.

Fat chance.

Several demos that should be the highlight but failed miserably. But unfazed by failure the presenter delivers another blow to audiences "trust me, it works".

One of a few demo works is using a password crack tool - John the Ripper to crack MD5 hashed password file with pre-defined raw-md4-opencl pattern. This is just too 1990s except password breaking using GPU, not CPU this time.

Frequently, he mentions about how good Microsoft .NET is; Visual Studio that can find security issue when your code; the number of security issues in Microsoft products have dropped drastically, certainly if you believe Microsoft tell you the true number.

Finally I understand that he is trying to sell Microsoft "security" solution to business.

Feeling a bit fooled and humiliated, I can only shake my head in disbelief. Maybe other developers have the SAME pain in the ass feeling about Microsoft products, no applause or appreciation when seminar is ended. People rush out of the room as quick as possible, or maybe just because of the peeing sensation.

Security is not a dirty word, but quack is.

If there are some useful reference:

• Burp Suite, an integrated platform (hacking tools?) for performing security testing of web applications, http://www.portswigger.net/burp/
• BeEF (Browser Exploitation Framework) is a security tool, allowing a penetration tester or system administrator additional attack vectors when assessing the posture of a target, http://beefproject.com/
• Puppet is IT automation software that helps system administrators manage infrastructure throughout its lifecycle, from provisioning and configuration to patch management and compliance, http://puppetlabs.com/puppet/what-is-puppet/