Bryan Owen

1-Aug-2011 Did “Stuxnet” change your profession?

Blog Post created by Bryan Owen on Aug 1, 2011

It's been just over a year since news of "Stuxnet" rocked the world and the industrial control system community.  How did this destructive computer worm change your profession?


On personal introspection developers of mission critical applications might look back at the year and believe nothing has changed because of Stuxnet... after all, their code wasn't the target. Perhaps others can honestly reflect on having taken a pragmatic approach in review of Stuxnet related exploits and their development practices: no hard coded credentials in my app ; my program files can't be easily spoofed or planted ; my code signing key is secure ; my application doesn't require administrator ; my application always shows correct information .


Kudos if you fall in the latter camp and believe Stuxnet is a call to action for building more secure applications.


Unfortunately, it's my opinion the profession of criminal hacking was most lifted by Stuxnet.  We may never agree on why programmers might choose a career path that can result in such perilous consequences.  The bigger question is how well and how quickly our profession adapts to overcome the will of intelligent cyber adversaries.


Learning more about offensive cyber tactics and forcing security failures can help us improve defensive programming skills.


One idea is to occasionally offer contest based challenges within the vCampus community. Some of the contests would be targeted to advance more secure PI Systems. We don't envision anything as intense as Defcon's 'capture the flag' but we hope there will be enough intrigue to capture your interest and participation.


Feel free to comment on merits of this approach and post ideas you think might be useful.  For preparation in the meantime you might want to brush up on SQL injection tactics!