Have you noticed that the IT world is very huge, but at the same time there seems to be no place for information security, despite the fact that quite a lot, and sometimes critically many, actually need it?
Many people now create and develop products, but very few people want to pay for their security, people look askance at such a decision, because many-mostly, of course, businessmen – do not want and are not ready to pay for something that will not bring them money later, and the potential “not to lose” for them, apparently, does not sound loud.
Under the cut, I would like to compare and draw a parallel ( although, perhaps, in some places, it may seem exaggerated) between witchers and pentesters ( witchers from the IT world).
According to my observations, the it world is now designed in such a way that more and more services, more devices, more technologies are created all around – hence more costs on the part of users, while introducing more and more, as a rule , paid subscriptions and paid features ( including advanced ones), and many people, thinking only about profit, forget to think about protection.
The main reasons are that they didn’t calculate the budget for this or purposefully scored on security a La “and so it will do”, “who needs us”.
At the same time, there are also cases when you did not calculate the time : you have certain responsibilities to investors or your superiors and you definitely need to meet deadlines.
Few succeed, but ,within deadlines, people eventually release time, as is usual with the security on the last place – making only the most basic functionality, not having it properly to test – but this is a serious miscalculation, because there is always a human factor can not be ignored sleepy , tired programmers who have committed ( that is , in principle, does not sound so it’s weird ) , mistake (s) in a huge amount of code.
And this is only if you do not count the default qualities of the programmers themselves – sometimes, there is a serious hack when the budget is simply “sawing” – it happens like this:
As for conscientious software developers, they are developers in order to develop products, not protect them.
Yes, you can adhere to the principles of safe development, but no one can replace the full-fledged work of a pentester.
Some companies that develop tools for automating the pentest process recognize that although the tools can help out, nothing can replace the live work of the pentester, and the pentester armed with these very tools becomes even more powerful.
But some people still do not understand this, specialized professionals in their field, experts in the field of information security, and “special squad” – pentesters are always needed.
Now let’s talk about terminology.
We will return to the pentesters after describing the Witchers, who are also a “special squad”.
Witchers are fictional characters from the Witcher universe by Andrzej Sapkowski, mutants with supernatural powers who have been specially trained to become professional monster slayers for hire.
Witchers are said to have no emotions, although this is not entirely true. In recent years, the Witcher caste has been reduced to a handful of active hunters; so few of them remain that the world is beginning to resemble a time when they did not exist at all.
Immune to all diseases and toxins, due to the fact that before the battle, witchers take toxic elixirs that enhance their abilities for a while, while an ordinary person may not be able to bear the effect and die.
That is-in a generally accepted sense, a Witcher is a profession. Usually this word means hired monster hunters, but not any representatives of this craft, but those who have gone through a series of mutations and body changes that make witchers superhumanswith incredible physical capabilities. It is this data that allows them to be as adapted as possible to hunt various creatures and creatures, and thus be much more effective than any “competitors”.
The main charismatic hero-Geralt of Rivia, you may know at least one of the best games of the decade – “the Witcher 3: wild Hunt”.
Pentesters are a special “squad” of people specially trained and trained to become professional fighters of “monsters” – problems (vulnerabilities) in IT.
It is believed that pentesters (read “hackers”) have no emotions, that they are harsh “computer scientists”, although this is not entirely true. In recent years, the security caste has also been reduced to a handful of active hunters; so few of them remain that the world is beginning to resemble the times when they did not exist at all – especially in Russia.
They are immune to all diseases and toxins, due to the fact that before the battle, pentesters take toxic elixirs ( a large number of energy drinks, including coffee), which strengthen their abilities for a while, while an ordinary person may not tolerate such an amount and the corresponding effect and die.
That is, in the generally accepted sense, a pentester is a profession. Usually this word means hired hunters for vulnerabilities and bugs, but not any representatives of this craft, but those who have gone through battle training and experience, and body changes that make pentesters superhumanswith incredible physical capabilities.
Namely, this data allows them to withstand the load on the heart and be as well adapted to hunting various creatures and creatures (viruses and bugs ), and thus be much more effective than any “competitors” – programmers with some bias in information security.
In addition to these similarities, witchers, like pentesters, face dissatisfaction with those who hired them, and sometimes just passers-by.
Witchers, like hackers , are viewed as a separate caste of people , where they
are “not like everyone else”, and sometimes they are even afraid.
Sometimes, the Witcher, walking around the city, can hear from the “uneducated” in his direction “mutant, geek”.
A pentester (also known as a hacker) can hear – all from the same “uneducated” – a freak, a nerd.
Both in the “battle” can not do without a glow-in-the-dark “magic” gizmo 😉
Those who are “educated” and “in the know”, on the contrary, are treated with respect and honor, that in the world of the Witcher to the witchers themselves, that in our world of IT – to the pentesters, and respect their craft.
Witchers, after they kill a monster, can be showered with complaints, starting with attempts to cut the order fee, consciously replacing it with a cheaper fee, and ending with a complete refusal to pay, citing various , sometimes absurd reasons, which, of course, hide the damage to reputation and unwillingness to admit their loss.
They don’t like pentesters either, they also sometimes want to cut their fees , consciously replace the fee with a cheaper one, or not pay at all, citing various, sometimes absurd reasons , and they also try to shut them up – because they don’t want to incur reputational damage.
This is sometimes quite common , that not always, even those who did everything right, do not get a reward for finding bugs and vulnerabilities in the bugbounty program .
Sometimes these words make up many intros to stories at various conferences , such as, for example, ZeroNights.
Speaking of bug bounties, in the world of IT, this is a platform where, in a sense, a murder order is “hanging “for which a reward is due, but first this” monster ” needs to be tracked down, maybe even lured out and then eliminated, but by default it is assumed that it exists, since it interferes with living quietly somewhere from time to time.
In the Witcher 3 wild Hunt, this function is simply performed by a Bulletin Board.
Witchers, like pentesters, as mentioned earlier, are designed to perform tasks that ordinary warriors and trained knights cannot handle, despite their strength.
Just as learning to take a pentest, as well as studying in Witcher schools, suffers a split – under normal circumstances, you will not find the opportunity to do this, the only opportunity is to do it underground (online/offline courses ) or you are overtaken by the fate of a self-taught person, no universities and schools will provide you with all the opportunities to become an “elite killer”.
In the Witcher universe, becoming a Witcher itself required a hell of a lot of pain, which only a few people were able to go through, but it still paid for itself in full – no one could do a better job.
But there was a lot of disregard for the work of witchers, which was expressed in disrespect and low wages , by market standards , on the part of employers and ordinary residents led to the decline of Witcher schools, this is not counting many other nuances and inconveniences that they had to endure.
There, residents believed that there were not so many monsters left and the remaining number of witchers would cope – but in fact they were mistaken, because there are many monsters and they will all continue to breed ( and why not? perhaps by creating new species, and witchers, although super-fighters, are still mortal, and the creation of new fighters is either very slow in the underground, or not at all.
We face the same problem in real life. Poor hygiene in the field of information security, disregard, disrespect towards pentesters, the lack of quality courses(meet a lot of water), quality education (many are interested in not wanting to teach, but only Commerce to conduct lessons as much as possible, telling a minimum to extend the period for longer and therefore get more money) , as well as the lack of it – leads to the extinction of quality of carrying out penetration tests, quality products.
But our lives and our personal data are at stake, and if we continue in the same spirit, there will be no one to protect the country in the future.
In the Witcher world, no one is going to fix this problem, but we can still try to change it.