Has Your Company made this Traditional Mistake Managing a Security Team

So my background is development. I have been on both Red Team (attacking, pentesting, Threat/risk analysis) and Blue Team (design and implementation of security features, crypto etc). Yet for some reason the Red Team is typically in a quality group.

I can understand why to a point. But in a North American (NA) context where quality is a low priority (based on my experience) this approach is a failure.

Here is why I believe this:

1. In a NA context, there are little expectation of a quality group and are often ignored. They have no seat at the table.
2. Most security issues can be resolved and avoided during architecture. Unfortunately NA development does not engage (and in one of my experiences even purposely avoids a quality based security group) at this time so architectural mistakes are made and technical debt is incurred.
3. Threat models are inconsistent. Because of a low respect given to quality groups in a North American context development groups do not respect any group in a quality organization Therefore, they will not engage and ignore competent penetration testers in group within a quality group.

Fundamentally there is a lack of respect from development management and development members towards quality group members. I know, I have been in both. The different in a NA context is that management has low expectation for quality groups and often put under performing members  there. Development then as a whole has lower expectations and less respect for these organizations.

If you then have a group of well trained hackers in a quality group whose expertise crosses between these two divides then there is a problem. Your development organization will not respect or even listen to them and your product security as a whole suffers.

The bandaid solution is to move the red team group to the development management sphere but this avoids the elephant in the room, mainly the problem with how quality groups are managed and the expectations afforded them.

Throughout my career I have extended respect to all colleagues regardless of their position in the organizational structure. Development, Quality, and support.

However based on the unprofessional behavior of Developers towards colleagues in Quality I now have less respect for development teams. 

It is development who have the problem. And they are the ones that must fix it.

Burp Suite, Firefox, SSL, HSTS, and sec_error_unknown_issuer

If you are using Burp Suite Pro intercepting proxy you will know you have the following chain.

|Browser| <=>|burp|<=>|Target Website|

In an SSL environment burp will send its own self signed cert to your browser while behaving as the client to the target. 

But if the target website uses HSTS (HTTP Strict Transport Security) and you use Firefox as a client then you will have problems. What you will see is a sec_error_unknown_issuer error and no ability to add an exception.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. 

Ok, So we know the site is normal - in our case its an internal staging environment. We could use another browser but there is a way to work around this.

Originally I tried downloading the burp self-signed certificate and importing it into the Windoze certificate manager by double clicking the .crt file. However this did not result in any change, I still had the sec_error_unknown_issuer problem.

The solution here is to manually import the Burp certificate into Firefox by:

1. Firefox->Hamburger Menu at Top Right->Options->Advanced->Certificates->View Certificates
2. This will display a Certificate Manager dialog. Select Import and then select the Burp Certificate.

The Attitude Failure of an R&D Shop

So sometimes you overhear things. Sometimes you don't have to try to overhear things. And even sometimes these things are presented to you on a silver platter with a marching band.

This is one of those times as shared by a friend who works somewhere.

So an R&D group is managed from out of town. So there are regular visitors from out of town to see what is happening in that outpost of R&D. These visitors attend meetings and (fanfare) ask questions.

When one of those visitors leave the room a local senior/lead developer states (or rather it falls out of their mouth) for the benefit of the remainder of the local people in the room:

I don't like these visitors showing up, attending meetings, and asking questions when they don't know what's going on.

So there are few points I would like to address regarding this kinds of statement:

1. You do not own the product that you are working on. They do. Get use to questions from them. Or leave.
2. These people sign your paycheque. Get use to answering questions from them. Or leave.
3. You work for R&D. It's not the other way around. Get use to it. Or leave.
4. Perhaps, since they lead R&D,they need to  ask questions so they know what is going on. Get use to it. Or leave.
5. The reason they are asking questions is because you are not communicating with them. So perhaps you need to communicate so they do know "what is going on"? Suck it up buttercup.
6. Perhaps you are so confused and scattered that you yourself do not know what is going on.

Fundamentally this shows an R&D team with a very poor attitude. The question is not who I would fire first but when I would stop.