I have written before about how compliance fucks up security, this is a common ground now. This post isn’t about that, as it has been all used up in several conferences, blog posts, drunk Red Team meet-ups and so on.

This post will talk about the nonsense that takes place inside the average Security company itself. It is really astonishing how the most absurd situations just tend to all get together and find their home in Security companies.

But this whole post isn’t about that either. While some fucked up situations will be our case studies, the post will try to suggest the reason that all this shit doesn’t happen in companies that create refrigerators or condoms…

 

The Model

A typical security company consists of about 3 departments. They can be 4 or 6 but they are simplified to the above 3:

• A Red Team / Penetration Testing Team
• A Development Team
• A Monitoring/Operations Team

And they all suck for different reasons…

 

Stating what sucks…

The Red Team

Well, the Red Team doesn’t suck. Most of the time it is a bunch of folks that really know their shit deeply and all. What does suck is that they have to report things. And those guys, most of the time, can barely talk. Imagine how painful will be for them to write stuff. They pay for 1 hour of enjoyment (meterpreter dances, pizza breaks, pentesting vending machines and such hilarious stuff…) a total of 7 hours of hating themselves in front of a Word document, or similar text editor. They at least do what they love the 1/8 of the time…

The Developers

If you take a bunch o’ monkeys and leave them in a cage with enough pot they will eventually write a Security Product for Internal Use. This is the development department. The classic UML faggotry, Java nonsense, and such clichés all apply.

And every company has their product that isn’t of course ready yet, but it will soon be. And good Lord it is gonna kick ass when it ‘ll be…

Their reason of existence is simple. There can be no “Computer Company” without “Program Making“. It is well known that this is what Computers are all about: “Creating Programs” (in the twisted mind of upper management).

 

Monitoring/Operations

What does suck the most is the Monitoring part. And it sucks a lot. In a whole new, existential level.

If you take every guy in there they all wanted to be pentesters. Worse than that is that now they don’t know what exactly they are. And this agnostic mentality flows around the whole department. They are not sure if they maintain a Network Operation Center, a Security Operations Center, an Incident Response Center, a Log Storage Service, a Behavioral Analytics Service or a Hard Rock Cafe, whatever.

They are so clueless about their existence they need lengthy meetings to decide if they are capable of servicing a customer that needs a very specific service. They are not sure whether they support such service but they go “Fuck it” and onboard him anyway.

The only Group of people that knows exactly what kind of fruit is the Monitoring department is the Upper Management (spoiler alert: its a money and a cow, what is it?)…

 

 

Why does everything suck?

Meet the Beast: Upper Management

They couldn’t last a day in any department of the company. Most of the time they have no clue what the company is about. If you ask them: “Tell me what does your company provide without using the word ‘Security’ ?” they may get an epileptic seizure the next instant.

So Security Companies are fucked up because their bosses are collecting butterflies while they could at least study what they are being bosses at.

I mean, my idea about the Boss role (say the Platonic Idea) is the man that does the same work as you, but way better. If someone hires me that demands from me to make chickas, but he can’t do it himself, I can, very well, make chickos and he will barely notice (chickas and chickos are words I just invented, don’t google them).

But how can this work?

Spoiler Alert: It doesn’t… Have you ever heard of failure?
This situation can very well define failure. And this failure bleeds money until it bankrupts, really slowly.

This happens for a number of reasons. Someone needs to pay all those folks, working on maintaining the illusion of security to the customers.
The Company gets the annual money from contracts and projects, but instead of moving on with some education with that money, it hires more developers. Because more developers means less time for the product to come out (in the twisted mind of upper management)! And when it comes out it ‘s gonna kick ass and stop hacking worldwide! And EVERYONE is gonna buy it on a huge price anyways…
But, unfortunately when too many developers get together, nothing ever gets finished, so they could very well play Minecraft in LAN parties, or Dungeons & Dragons, or beat Piniatas and end up more productive than when actually coding for the project. Because development is something nearly impossible to do right (it takes a lot more than coding), and most of the time it becomes a black hole that  sucks money.

In the meantime someone among the pentesters has the free version of BurpSuite and the Monitoring Center has an underspecs server or two…

And how it stops (not) working…

This nonsense actually has two ways to stop:

1. Developers suck up all the money and release no product.
2. Developers release the product.

The first scenario is simple yet amazing. A bunch of people bring a whole company down by not doing what they had to, while working every day 9:00-17:00 (sometimes even in weekends). I find this scenario amusing! It is the college project failure scaled all the way up!

But the second scenario is the one closer to reality.
When development department proudly presents a product, that has the same functionality with a forgotten project of some Chinese guy on Github, and the whole Upper Management realises that they can’t sell this stuff because none in the security industry really needs something like this (this is also the reason the Chinese guy abandoned his project back at 2014), the company breaks down. And it does as it depended on the sales, that should have been tremendous!

 

Why those tragedies do not happen in companies that manufacture refrigerators or condoms…

Upper management can very well be non-technical in refrigerator or condom companies. But the big difference between Security companies and condom companies is the following:

Upper Management people use (or have used) condoms and will never use security products (not even nmap)!

In condom companies people that have meetings and make choices about the company do not need to be consulted about how a condom works by a specialist, or why use a condom.

In security companies, in the other hand, the non-technical upper management has no fucking clue, and will never understand if something is worth spending or not. They completely lack common sense regarding their service or product.

This can be very well understood with 3 examples:

Condom makers

[The Condom Designer]: Hey boss, I believe we need to make condoms with WiFi. The budget we 'll need is 150.000$.

[The Condom Boss]: You are fired.

This boss figured out from his* experience that condoms with WiFi are useless as fuck. This Designer got sucked and he deserved it because he lost hours trying to budgetize condoms with WiFi. Fuck him.

*: or rather “her“, I prefer female bosses.

Refrigerator makers

[The Refrigerator Designer]: Hey boss, I believe that we need to make refrigerators with microphones, cameras and TCP/IP stack to ensure good quality of service (?). The budget for this is 180.000$.

[The Refrigerator Boss]: You are fired. (hopefully)

Here the boss didn’t see the opportunity of the IoT circus. But he fired the ignorant bastard just to be on the safe side…

Security providers

[The Security Designer]: Hey boss, I believe that we need to develop a tool that can compromise every operating system, platform and network.
We 're gonna write this in Java, as it is cross platform (?), and the budget for this will be 300.000$.

[The Security Boss]: This is a great idea! We are gonna invest on this!

This boss has no idea about Cobalt Strike, Metasploit, etc. Tools that have been developed for years and are the defacto standard for the industry. He has no experience on “compromising” things.
If he ever knew what Java is all about, he would burst into tears of laughter before the Designer could finish the proposition. (For people that don’t know, Java is even worse than Ruby nowadays).
Plus the “compromise everything” sounds too bad-ass to be cheaper than 300.000$…

 

For me the last conversation has one more line:

[God] : Hey guys, come to see those two faggots! They are gonna write metasploit again, from scratch! (laughters).
In Java! (laughters)
(...laughters echo in paradise...)

I hand out to you a recipe of failure! Please stop cooking it…