Should We Buy More Tools?

In this “syndicated” post from the Jack Mannino blog, Jack discusses if we should take a tool-centric approach to a security program. Of course this is a purely hypothetical situation. 🙂 Personally, I say the answer to this question is a resounding NO … but let’s see what Jack has to say.

As part of our effort to let the Metro DC area know about the awesome infosec bloggers we have, our “syndicated” posts emphasize other local bloggers that discuss news, events, and resources relevant to infosec professionals in NoVA, DC, and MD. In each post we introduce the topic, syndicate the introduction and part of the content, and then link off to the source blog post for the rest of the content and conclusions.

Well onto today’s post…


“Short answer: in most cases, absolutely not. Tools alone do not make an application security program successful. In fact, I’d go as far as saying that taking a tool-centric approach to any security program is doomed from the start. Let me explain why with a “purely hypothetical situation.”

All too often I’ve run across organizations that have deep enough pockets to run a very tight ship, yet somehow fail miserably. This evening we will pick on the Federal Government sector. Most groups in the Federal or DoD space have to budget several years in advance to procure actual consultants or contractors to perform a particular subset of services. However, at the end of each fiscal year they fight over huge pots of money. Those that are fortunate enough to justify why they have a rightful claim to some of the funding often go out and spend a considerable amount on tools and other software solutions that they hope will serve as a band-aid for another year or so.

Here is a scenario that ends up unfolding time and time again: Agency A purchases a few licenses for a web vulnerability scanner and a source code analysis tool. Meanwhile, they expect their same mid-level (maybe even “senior”) security teams to perform this work properly without any training, hands-on experience, or in-depth knowledge of what they are up against. Armed with new and expensive tools but lacking knowledge of fundamentals, best-practices, etc etc they begin scanning everything. And scanning. And scanning. And scanning. At some point a savvy developer bursts his/her bubble and says “Everything in this scan report is a false positive. Did you verify them first? Did you tune your rules or did you just use the default rules?” The “security” team member responds with “Tune what? Why and how would I verify the results? I’m not a developer. That’s your job.”



See the rest of this post and it’s exciting conclusion over at the Jack Mannino blog. If you are based in NoVA, DC, and MD and would like to have posts from your blog considered, please Contact Us or mention @grecs with the request on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.