Re: Security experts in Mauritius

From: Loganaden Velvindron <logan_at_afrinic.net>
Date: Sun, 1 Nov 2015 22:27:22 +0400

On 11/1/15 8:24 PM, Ish Sookun wrote:

> Hi Logan,
>
> On 11/01/2015 01:23 PM, Loganaden Velvindron wrote:
>> It's not only LUGM. There are *many* companies in Mauritius relying on
>> Open Source Software. How many are actually carrying out security
>> audits, and discovering those flaws ? The numbers speak for themselves.
>>
> Are you implying or suggesting that web agencies should employ
> software developers that understand the code behind Apache, Nginx,
> Varnish, OpenSSL etc? Carrying out a security audit on company's own
> code is something and auditing completely different programs written
> in a plethora of languages would mean something else. I

If a company is developing several websites for a bunch of clients, it
makes complete sense to hire competent people that understand the
full-stack. If they took people who lacked experience, and their clients
are dissatisfied, they are going to lose.

Personally, I would love to have an in-house OpenSSL guru, and a Performance expert who can understand bottlenecks down to the network stack layer. So many software are implementing crypto these days, that having one specialist, would be so much less of a headache.
 

> don't know if those agencies would have resources to hire someone to
> develop websites and dig for security flaws in open source software
> (like Nginx, OpenSSL etc) at the same time, unless one of their
> employees is passionate about such and the company 'sponsors' some of
> his/her activities. At most the company would hire someone who has a
> sound knowledge of security and can patch the software the company
> uses, in a timely manner and with minimal effort.
>
In my experience, they start looking for competent people when the
website that generates revenue had to be taken down due to a security
problem. That's when company owners start to think about hiring a
security engineer to protect the company's asset on a hostile internet.

> Many web agencies rely on Open Source software but security audits
> outside their field might not be an everyday business.
>
> I would rather expect that from security-centric companies which in my
> opinion are not *many* in Mauritius. A quick search on Google led me
> to these two companies in Mauritius that offer "IT Security" services:
>
> - http://www.tylers.mu/
> - http://www.isysevolution.com/Information_Security.html
>
>> Auditing for security flaw, involves having good knowledge of software
>> development, *and* being able to critically analyze code to find a way
>> to subvert it. A security expert who cannot understand how unbounded
>> string copies leads to buffer overflows is NOT a security expert. Why
>> would a security company hire a security engineer who does not
>> understand those ?
>>
> In my answer above I referenced two companies that I found offer "IT
> Security" in Mauritius.
>
> I have often seen you posting similar "concerns" on social networks or
> your blog but have you ever contacted those companies and asked about
> their contribution to Open Source software? What can be done to fix that?

The concerns were echoed by Senior engineers working in various
companies, and also outside of Mauritius. One of those above mentioned
companies acknowledged the lack of experienced security engineers. Our
solution to this is what Avinash hinted a while ago:

http://www.noulakaz.net/2006/03/01/how-to-become-a-great-programmer/

One needs to work hard, and this means spending a number of hours, over
a number of years to reach a good level of proficiency. Younger engineers need to understand that
and work hard.

If we don't get the younger generation up to speed, Mauritius will face a huge problem later on, as so many organizations are shifting to IT for their processes. As I said in my blog, we will have cars, washing machines, door bells, and possibly smart shoes that are hooked to the Internet in a few years time. The security challenges will be greater than what they are right now.

 

>> Discovering a compromised website is one thing. However, going through
>> the web application code, and discovering the vulnerable code which
>> allows that to happen is what a real security expert would do. Now, how
>> to prevent that from happening, by rewriting the code is next step. How
>> many people can do that in Mauritius ? I would be happy to one day see
>> someone post such an analysis on his blog.
> I do not see any security expert, as you say, having a blog in
> Mauritius. Are you referring to anyone in particular. Do you expect a
> mason to design a building's blueprint and an architect to execute
> manual labour?
>
[I'm not understanding this analogy]

> Would you write to Tylers and ISYS Evolution telling them about your
> expectations from Mauritian companies and security experts using Open
> Source software?
>
[Reply below]

> I am a Sysadmin and I contribute to Open Source software via bug
> reports [1][2][3][4][5] as and when I encounter them. Can you advise
> me in what other way I may contribute?
>
That's great ! How about doing a presentation for LUGM on the process of
Problem Report submission ? Explain to people how to upload logs, and
traces that allows someone to remotely assist you.

>> As I said, nobody submitted a decent solution for the Heartbleed
>> security contest, so in my opinion, there are none in Mauritius.
>>
> Did you send an invitation to IT Security companies in Mauritius for
> the Heartbleed contest that you organized and tell them the results
> will be used to index the level of "security-centric knowledge &
> skills" in Mauritius.
>
With 30 people in the room, and a gentle introduction to Heartbleed, I
expected at least 6 submissions. One of those companies was aware of the
presentation, and read my blog post.

We didn't take a vulnerability at random. We took one of the most famous
vulnerabilities, and wrote a simple introduction, show how to approach
the problem using engineering principles. Our hope was to simulate a
scenario, and see how to solve a real security problem.

 

>> And what about practical applications of those concepts ? Implement the
>> OpenSSL API, in a simple client/server model ?
>>
> You learned Chemistry in college, right? Did you start making your own
> soap or shampoo. A kid who is passionate about Chemistry would surely
> try it though, and might be amazed and share his new soap with
> like-minded people.
>
> The practical side of things learned in HSC usually is seen if the
> student pursues a similar career path or is passionate about the subject.

The sooner a guy/girl starts playing around with those things, the
better. I always advocated self-learning in addition to formal learning.
Received on Sun Nov 01 2015 - 18:17:11 PST

This archive was generated by hypermail 2.3.0 : Sun Nov 01 2015 - 18:18:01 PST