Interview: Pete Herzog

Pete Herzog is an exception among the speakers at FOSDEM 2007. His main focus it not a software project, but a "methodology" -- and one that aims to improve and measure IT security.

What do you want to tell the FOSDEM audience in your talk?

I want to show people that network security testing and analysis is complicated and they shouldn't rely on just their security scanners to tell them the answers. Security verification and analysis is something they should learn to do themselves or else they will miss many of the problems which the tools fail to show.

How did you get started in the security area?

Without admitting to the "bad stuff" let's say I started in physical security. At age 16 I hung out with the store detectives where I worked. By 18, I was kind of an authority at my university on identification fraud even working to teach local businesses on how to know a real I.D. from a fake. That summer I was hired to do "beer stings" to test store clerks to see how far I could push them to sell me beer illegally but stopped after a couple months because I never had the heart to fire those who failed (I only gave stern warnings).
By my last year in University, I worked in the computer lab battling disk viruses and breaking copy protection for professors who wanted to "try" unlicensed software. At the same time, I was paying for school by working sting jobs for a couple chains to catch embezzlement as well as point out other security lapses.
Unfortunately, I stepped away from security after college for a few years while chasing dreams and some bad ideas too. Although security was often part of my various jobs, I didn't consider it as a profession until IBM Germany tapped me to be on their ethical hacking team. So I left my cushy software-testing job at Intel to be a full-time hacker. The rest is all security after that.

And it is a very broad topic indeed... Which parts of security will you discuss?

I will focus on network/Internet testing and analysis from services to applications.

What is the relationship between security and security testing? Can the one exist without the other?

Please tell me that's a rhetorical question like how many "ethical" hackers can dance on the head of a pin?

Eh ...

The ISECOM definition of security is as a form of protection that physically separates or removes the threat from the asset. The ISECOM definition of security testing requires the verification and quantification of operational security and safety (controls). This means that by applying security measures, you are already most likely testing it to be sure it's the right fit. Otherwise it would be like buying a table for your kitchen without regard to size or style and just hoping you get something that at least you can eat on.

How does a methodology like OSSTMM benefit from being open sourced?

An open methodology states publicly what is to be tested and what measures are used to minimize testing errors. Embracing an open methodology means having something standardized for comparisons, transparent to the client, and thoroughly peer reviewed.

And what is the advantage of the Open Methodology License (OML) over other licenses?

The OML isn't about Copyright. It shares Trade Secrets. A methodology is considered a Trade Secret in international law and that's what we have made open so that no one can realistically claim it as their Trade Secret. So the advantage is that it opens and protects methodologies.

Is OSSTMM adopted by many organizations?

I think so. Unofficially, I know of a vast number of organizations. Officially however, I have had only a few hundred organizations step up and say they use it. I don't expect people who adopt it at any level to let me know directly. It's nice if they do but I stopped hoping for it and just keep working in the dark. I still think the coolest thing is to be somewhere far away and have someone working [on] hotel security tell me they have a copy of my manual in their office.

Apart from the methodology itself, have there been any tools developed within the project?

I do know of a lot of tools that added functionality because of the OSSTMM but we have done little to focus on software solutions in-house. We generally just work with both FOSS and commercial companies to integrate our research into their products.

What is your take on the issue of open-vs-commercial in terms of software security?

All commercial software should also be open while being commercial. I can understand why someone would want to protect their source code from competitors, however they should realize that their current means of doing so don't actually work. However, that's not as bad as the current licensing problem where we often don't even OWN the software we buy. I think that problem needs to get resolved first.

Thank you for the thoughtful questions.