Security Testing for Muggles: An Interview with Paco Hope


Cameron Philipp-Edmonds: Okay, and you have experience over a number of different platforms such as web applications, business-to-business transaction systems, and even online gaming. Is there a particular medium or platform for software that tends to be more vulnerable or more susceptible to security attacks?

Paco Hope: Yeah, so there's two ends of the spectrum. You have in the middle of the bell curve, you've got all these apps that were conceived of as web apps from the beginning. Many of those are not so bad because we thought about them being on the web to begin with. There are two things that are kind of at the ends of the spectrum. One is the apps that we never thought would be on the web in the first place. There's still actually an awful lot of financial, and transportation, and infrastructure sorts of systems that are 20-30 years old and they were not really built with the web in mind.

That's the new wine into old wine skins kind of problem. The other end of the spectrum are things like mobile. Mobile apps are web first. They're mobile first. There are whole groups of people who are building an app because they never existed in the first place, and it's going straight to a mobile platform. What I think a lot of people don't realize is just because you're mobile, you still have all the same security concerns that we've always had.

Then you have some new ones, too because you're on mobile. It's really like we understand the middle of the bell curve and then these two tails of legacy systems that never anticipated the web, and mobile where they think they're different but the truth is they're not. Those two are places that are really active in security.

Cameron Philipp-Edmonds: Okay, so going forward, in the future the most susceptible is going to be the past. Not only the past, it's stuff that people think is immune because it's mobile.

Paco Hope: That's right. I'll just say that if you think of a mobile device ... A tablet, a phone ... If you conceive of that as a Windows XP PC chock full of malware then you have the right mindset. That's the kind of security that you need to associate with a mobile device, and a lot of people don't. They think of mobile devices almost as appliances. How could you hack that? It's self-contained. You can't get under the hood, but in fact we can.

Cameron Philipp-Edmonds: Okay, now going back to your presentation, is there one thing you would like for attendees to take away from it?

Paco Hope: Yeah, the biggest thing I need people to do is to stop thinking of security as magic, and think of security as perhaps a special case of what they're already doing. Maybe you do things a little bit differently. There's a bunch of testing 101 stuff. Boundary value testing, equivalence class partitioning, and when I first got introduced to those concepts as a security person, I thought well, we do that, we just don't call it that. We didn't have a name for it. That's what people need to see when they're thinking about security. They need to see it and think of it as yeah, this is just what I'm already doing.

Cameron Philipp-Edmonds: Okay, and so going along with that title you have in place which is "Softwarts: Security Testing for Muggles," and how you're going to try and get rid of the veil of magic that's been shielding people's eyes, is it fair to say that you will not be wearing a wizarding cloak and wizarding hat during your presentation?

Paco Hope: Actually, I fully intend to come on stage wearing the full on pointy hat, magic wand, beard, and half-moon spectacles. That's part of the attraction. Yes, to show that in fact, underneath all of the wizarding costumery there's actually just a regular guy.

Cameron Philipp-Edmonds: That's fantastic. I really like that. Is there anything else you would like to say to the delegates of STARWEST before they attend the conference?

Paco Hope: I think bring an open mind and check the staff at the door.

Cameron Philipp-Edmonds: Okay, well that wraps up our interview, and this was the magical Paco Hope of Cigital. He'll be speaking giving a key note presentation at STARWEST 2014 which is titled Softwarts: Security Testing for Muggles, and we look forward to seeing you all October 12 through October 17. Thank you so much, Paco.

Paco Hope: Great, thank you.


photo Paco HopeA principal consultant for Cigital, Paco Hope has deep experience in securing software and systems. Paco’s experience covers web applications, online gaming, embedded devices, lotteries, and business-to-business transaction systems. He has worked with small startups and large enterprises in architecture risk analysis, secure code review, penetration testing, and other consulting. Acting president of the London Chapter of (ISC)², Paco serves on (ISC)²'s Application Security Advisory Board, authoring questions for the CISSP and CSSLP certifications. He coauthored the Web Security Testing Cookbook, Mastering FreeBSD and OpenBSD Security, and a chapter of Building Security In.

About the author

Upcoming Events

Apr 29
Jun 03
Jun 03
Jun 03