Fear, Art, and Hacking
A person’s license to create is irrevocable, and it opens to every corner of daily life. But it is always hard to see that doubt, fear, and indirectness are eternal aspects of the creative path - Shaun McNiff in ‘Trust the Process: An artist’s guide to letting go’
When people say “the art and science” of information security, I get the sense that they think of “art” as merely the application of subjectivity in an otherwise prescriptive methodology. As if to say, art is really a secondary consideration to the process. The lines are set, but you get to pick the colors. If you want to make your own art, it is regulated to the domain of side hobbies, tinkering, or fun home projects. External things, set aside for play and not for function, and never a core ingredient of work. As great side projects are, I don’t think you could make a bigger mistake than limiting your perspective of art to that. Creativity is life. It brings energy, it solves problems, it is a type of magic. When I started this sen security project I set out to talk about art, not as a small part of the craft of security testing, but as an equal partner to science.
Every test you perform as a security professional is a chance to tap into a deeply creative process that challenges you to be better. Even in the mundane, there is a chance to constantly re-invent yourself and your approach to find new ways to explore. It is a truly amazing journey. I absolutely hate hearing testers tell me, “I did xyz testing for a while and got burnt out, it was all the same.” In a world this technologically diverse, how could every engagement actually be the same? It more likely to consider that perhaps it you who needs to change. Perhaps you are stuck. Done well, the art of security testing evokes a certain type of beauty and emotion. You should never settle for less when given a chance to create that.
So how did we get stuck in a world of process? First, I think people forget that methodologies exist for the sole purpose of learning with the intention to graduate. The constraints placed on you are only supposed to be guidelines. I like to call them guard rails on the side of the road to keep you from falling off. They are great for education because they help you establish a baseline of ideas for how to solve a creative problem. But they aren’t the end point. When I started to cook polish food, I followed the recipes for a few dishes the first couple of times I made them. But after a season you realize the tastes and timings that really make a dish great. You may even make changes to improve on an idea. Why is security testing less than that? For me, I hate the feeling of being constrained to a list. It is suffocating. This is the hardest part for me when I play music with others. I don’t mind repeating cords, and I don’t mind setting rhythm (as a drummer that is sort of my job), but I don’t like sitting there for 3 minutes w/o room to breathe.* There needs to be a balance. Security testing approaches that fail to let you breathe are intrinsically broken. You aren’t a mere backup player, you are the damn band.
The second reason I think we get stuck is because creativity is by its own nature terrifying. Sitting down, even now after 10 years testing, there is this awful feeling similar to that of a blank page. I indexed a site, I exercised some functionality, and my site-map is overwhelming. I look at it and see an endless world of possible testing, and I don’t know where to start. This feeling is made worse by spending the last four on a hiatus of sorts. Doubt creeps in. Lists and methodologies are great solution to cope with that feeling. It is like the warm woobie that makes you feel like you’ve made progress. Regardless of if it is applicable, it is at least a direction. We invest in those processes, we get great at those processes, and we finish our list of things on time. We might find a good finding, we might not— but either way we at least followed our OWASP top ten list. And who can blame us, everyone is doing it! And if everyone is acceptably failing, we don’t have to take responsibility.
When staring down the barrel of a deadline, it is really hard to not be afraid of failure. We don’t want our best work to come up short, so we don’t do our best work. My teacher once told me that people often take on more than they could ever accomplish because it makes never getting anything done feel a whole lot easier. It is an awful feeling to try your hardest to just do one thing and come up short. We don’t give our best, because we don’t like the idea of it not being good enough. This stressor has caused me to give up many a weekend to learn one new thing, or to hack one more process. But art teaches you something else— failing is a normal part of the process on the road to mastery. It is your best teacher along the way. Art teaches you to take chances and to make friends with the realization things don’t always work out. If you planned for that, if you accepted it and embraced it— you can begin to be honest with yourself. Art gives you permission to chase improvement, not perfection.
And here is where we get to the rub. You are going to fail either way. No plan is good enough, no methodology is fully comprehensive, no answer is complete. When I was younger, I collected every vulnerability and methodology I could find. I was up to date and as fresh as one could. But years into my career, whole new categories of problems (XXE, XSRF, DLL Hijacking, etc..) were identified. That means for every year prior, those issues still existed, and no one knew. Why would anyone be invested in feeling bad about that? All of this is part of the process and journey. You will miss things; you will make mistakes. Art teaches you that is okay.
I barely scratched the surface on art as a core part of security testing. But it has been on my mind a lot lately. The world feels very mechanical and heavy, and it feels important to remember there is real magic to found— if you are bold enough to give yourself a chance to pursue it.
Drive fast, take chances. That is how music is made.
