The sensationalism in security
Why considering people celebrities is a bad idea
It has happened again, a heads up was given about a vulnerability in a widely used open source library (OpenSSL) was announced - For reference see their blog post.
For historical context, OpenSSL is the biggest implementation of encryption functions and is widely used by common services that power e-commerce, SaaS, or any other technology that has to perform encryption operations. Their track record is amazing, in 8 years, this was the second ‘critical’ vulnerability that they had announced. Naturally, the information security industry went on Twitter and other social media to talk about this and give heads up about the upcoming disclosure.
This all sounds fine, until known security celebrities started making comments about how this will be another security doomsday scenario and created so much hype about this that companies were panicking ahead of time. The problem with the hype was that it was done with no details or context as to what the vulnerability was about. What became interesting was that once the details came out and the actual scope and impact of the vulnerability was understood, none of these folks backtracked any of their doomsday claims.
To add fuel to the fire, the first line of criticism was to rant about how the OpenSSL Project had not announced a CVE ID for this. But this rant comes with very little insight into what the OpenSSL team has to deal with when they do. All in all, we saw a collection of opinions from an ivory tower about how a project that is widely used but maintained by a few dealt with such announcement.
Why our voice matters
As security professionals, we are looked upon to provide practical risk guidance to the business and the world. It is up to us to be able to control the message and show that this industry is in fact composed of professionals and not just people who are seeking attention (I get the irony of me writing a blog post calling out those who are seeking attention). We have people in the industry who are followed by thousands and are looked up to by folks as the experts. We can do better.
Wrapping up
Short post. I just needed to get some things off my chest. My issue is that panic ensues, companies and people start making the wrong decisions and expanding on the bad reputation that security already has (I feel sorry for any team that was told to prioritize patching this vulnerability ahead of the details coming out). Also, the Internet is powered by a group of volunteers. Let’s make sure we show our support by either, contributing to the project, supporting the project, or at the very least not making things more difficult on them. Kudos to all the FOSS maintainers out there as technology wouldn’t be where it is if it weren’t for you.
Well said, Emilio.