There are many debates and infosec dramas related to vulnerability research, publishing Offensive Security Tools (OST), Proof Of Concept (POC) Code, and in recent days – some Original Gangsters (OG) are reflecting on their own doings by posting teary memoirs and apologetic ‘I-should-not-have-done-it’s…

When it comes to cybersecurity, best is to stay cynical. So, what follows are pretty brutal statements that may (I hope) affect your perception of the cyberreality:

• the most successful changes to security seem to be coming not from security solutions, red team exercises, user awareness trainings, but transformational, architectural changes (MFA is a great example, especially with its iterations, and nuances, many of which are around usability)
• ‘impose cost’ dogma is a non-sense because it’s an ego-trip + your opponents, as long as they have an incentive to get to you, will find these funds (+bad guys do have more money than we can imagine)
• releasing 0days, 1days or anything that facilitates remote access, DDoS is a strong NO; I think Github and similar places should enforce a policy that you can only publish stuff that is 90days+ and maybe even no-RCE/no-DDoS; anyone releasing 0days, 1days <90days or DDoS tools should be considered at least threat actors’ accessory and possibly face prosecution
• non-RCE, non DDoS OST, even ransomware-ish stuff and hacking tools should be fully available for consumption; there is a lot of beauty and cleverness in it, there are fame brownie points there too, but it generates a body of work that helps defense tremendously – could we even have NIST guidelines or Mitre Att&ck, let alone vendors improving their software w/o all these white papers, conf material, POCs, humiliating pwns, backdoor code exposures, etc.?
• there is a lot of ego in old people talking about ‘oh, I have released this and that in the past; now I see it was bad’; c’mon… anyone who used to read virzines from 90s knows that most of these techniques have been known since those days, and today’s researchers are just rehashing them… anything syscall-related is literally same as tunneling and tracing from DOS era; even gadgets were known in DOS era, just didn’t have that fancy name yet; don’t worry, many people are better than you and would release a POC of that ‘novelty’ technique anyway… it’s just a virtue signaling dressed up in a guilt trip
• enterprise security doesn’t give a monkey about OST, POCs, etc. — many people in offense and defense who see the security world via the lenses of their own version of The Frog in the well are often surprised when they find out; all these infosec dramas about OST, etc. are kinda provincial in the big scheme of things; seriously… OST is just one of many, and it’s pretty much operational, borderline tactical stuff
• let me reiterate – enterprise security is not what you think – and if successful, it is ran by people who seriously don’t give a shit about your supercool research, tool, C2 framework, or whatever… they have Mergers & Acquisitions, Contractual Agreements, Compliance, Regulated Markets, Tech Debt, Shadow IT, Shared Responsibility Models, Digital Transformation, and many other bits to take care of — ‘technical’ people smirk at it, but this is the actual stuff Adults play with
• ah, and last, but not least – many young people will still do stupid stuff…

If you want to make a real dent in IT Security, cybersecurity, or whatever… study business and organizations first. The real cybersecurity value proposition doesn’t come from our knowledge of assembly language, C2 frameworks, attribution mambo-jumbo, or even one-off Red Team engagements. It comes from our ability to design and deliver a security program. And a security program is a project. And such project offers a change. And that implies patience. Be patient.