I have been asked many times why I spend so much time and effort hunting for security flaws in software. I make no money off the vulnerabilities that I publish in my free time and the companies that fix these flaws get essentially free quality assurancee testing done. Some people think that it is to harm the other company or tarnish their reputation. This could not be further from the truth. nGenuity practices responsible disclosure and works with vendors to fix security flaws before the details get published.

So what do I get out of doing this work and more importantly, what do you get?

Skills Dissipate

Since leaving Symantec to start nGenuity I find I don’t have as much time to do security assessment work  as I used to, something I really enjoyed. To ensure that my skills do not atrophy I seek out software vulnerabilities and ways to improve my methods of finding and fixing them.

Credibility

Does an I.T. company that doesn’t know how to find and identify vulnerabilities in systems and software really know how to secure your network and protect your data? Publishing vulnerabilities and helping companies secure their software and systems helps nGenuity demonstrate that we have an in-depth understanding of security issues. Better yet, you know that we are going to be able to help you secure your environment better  than than your neighborhood computer guy that will sell you a product and tell you that you are “secure.” I know this sounds like a sales pitch, but its something to really think on the next time your I.T. company tries to talk to you about security and rambles on about simply purchasing products. There is a lot more to it than just installing patches, anti-virus and backups. It’s about the entire process, the security life cycle of your business.

The Ah-Ha Moment

Many businesses don’t understand they have security problems until they have either been affected by them or are shown just how vulnerable they are. If I can demonstrate to you how I can take over your website, siphon confidential data from your network or make your point of sales systems unavailable it is easier to see just how security issues will cost your business money. Without these ah-ha moments unknown vulnerabilities remain unknown business liabilities.

In the end if the vendor has improved their software, then my customers data and brand is more protected and I’ve had opportunity to continue refining my skills, I would call that a win-win for everyone.