An interesting interview with a personality of the security community of some years ago has been published by Antonio `s4tan` Parata. It is very interesting to read from RFP's words an analysis of how the view of people has changed regarding security.
I particularly enjoyed the following passage:
Antonio “s4tan” Parata (ap): Hi Rain Forest Puppy, many thanks for this interview. You are considered one of the fathers of web security and the inventor of the SQL injection attack. Anyway in the year 2003 you decided to publicly retire from the security field (to get more infos http://www.wiretrip.net/rfp/txt/evolution.txt). Can you briefly sum your decision?
Rain Forest Puppy (rfp): My decision to retire from the public eye was based on a lot of reasons; overall, the amount of resources & energy required to release and maintain advisories and tools was just getting to be too large. It wasn’t fun anymore–and why pursue a hobby if you’re not enjoying it?
Plus, the security industry was becoming commercialized. Advisories and exploits are now bought and sold; performing security research in the first place can land you in legal waters. The intellectual value of the security research performed has been reduced to a single severity rating, which…if not high enough…causes the entire research to be dismissed. I really enjoy security from the intellectual angle; to me, it’s all just a big mental challenge…a puzzle, if you will. So when the creativity and intellectual aspect of it started to fade away, I decided to go with it.
I do back up this point of view: "why pursue a hobby is you're not enjoying it ?".
Creativity and intellectual aspects of security do still interest me, just the market around changed. That's also part of why I started doing more System Management again – at least I have fun thiking and thinkering, integrating, scripting and composing….
[...] The intellectual value of the security research performed has been reduced to a single severity rating [...] I really enjoy security from the intellectual angle; to me, it’s all just a big mental challenge…a puzzle, if you will [...]
His point is expressed beautifully.
But he does not only talk about the Security community and market, he also has some interesting thoughts on open and closed source software:
ap: You are the author of the libwhisker library (http://www.wiretrip.net/rfp/lw.asp), widely used to create assessment perl scripts. What do you think about nowadays products related to web application assessment? What about some open source software (like parosproxy or nessus) changed to closed-source?
rfp: I have to choose my words carefully, because I very recently started working for a security software vendor.
Having had open source projects, I will say this: it is very hard to bootstrap a development community, and achieve the same level of polish, quality (as in QA), and implementation thoroughness as a commercial product. This isn’t necessarily because commercial software vendors are better coders; the dynamics are just different.
Open source coders are usually working on their own donated time. That means contributions are often catch-can and best-effort. Open source (when not sponsored by a commercial entity) are typically limited in resources (with time being the critical one).
All I care about is whether the tool works and/or gets the job done. I’ve spent so much wasted time trying to get a screwdriver to do a hammer’s job, and vice versa. I really don’t care if a tool is open source or commercial; I let the job dictate the tool, and not the other way around. Of course, there are certain artificial restrictions on this (like price limitations), but in general, I think there are some things that currently only exist in free & open source tools, and there are some things that currently only exist in commercial tools.
So use both wisely and get the best of both worlds.
Read the complete interview here: http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/