Thanks for the compliment.

I will add that them short-sighted idiots happen to be the ones who have the ultimate authority to approve the expenditures that pay your bills and mine as security people. The world can be cruel, ugly and unfair in that way, but that's the way things are.

You are right that reporting security holes is no pot of roses, as the net admins and net engineers who manage their op on a daily basis can get SUPER defensive - And they don't forgive and forget either. Those would-be security professionals who have no flair for diplomacy should really stay out of this business. And all the good will in the world will not protect you from coming to a bad end in this business if you don't watch your surroundings.

Finally, I am a great believer in not doing anything until we start receiving money from the client, as in "Show me the money!" Actually getting the money is the ultimate proof that the client's liaison person really has the authority to get the security testing approved, and that we interfaced with the client using the proper channels. CYA!

I am a security guy, because I love dealing and interacting with people. This does not mean that I am not unaware that I could end up with sharp objects sticking out my back, if I don't look over my shoulder systematically. CYA!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20519#20519