"Please nurse, can I haz some more?". Yes my long-suffering infosec brethren, it's fudsec Friday and time for your meds.

I love to learn new things... there, I've said it. I'm addicted to the latest technique, the new attack vector, the shiny exploit code that makes your dreams come true. A lot of us in security are. That's not always such a bad thing. I love the buzz you get when you do something you never thought possible. It's the best kind of high. Still, the first step in any cure, is to admit that you have a problem. As an industry, we have a problem. It's time we took a step back and really start to rectify the issues, instead of craving our next fix.

We all love the latest big thing. The thrill of a new idea, the chance to learn something new and different. For many of us in security, the chance to try something out for the first time is hard to pass up. After all, for the majority, this is the reason we got into security in the first place. The constant change, the new challenges and the ability to play with exciting things in the name of progress. We're like kids in a candystore. If you need proof of that, just consider the packed halls at Defcon, Blackhat and a hundred other "security" conferences that take place around the world every year. You can't help but see the ever growing demand for the "next big thing" in information security. I'll gladly admit, I'll be amongst the first reading the latest batch of white-papers to see what I can learn and use next time I'm testing a system. After all, this is why I moved into security to begin with... to have that constant growth and ongoing education that I felt network/server administration lacked. Still, lets keep to the point, because loss of focus is what got us here in the first place.

Where exactly do we expect this constant march of new and ingenious attack strategies to take us? Is there some mythical nirvana we can only reach after gathering up every zero day in Internet Explorer? Are we suddenly going to become secure once we find every possible way to crash Apache server? I don't think that day will be coming anytime soon. Still, that's not really the reason for this little rant... and yes it is a rant, no matter what I try and make of it.

Sometimes as security professionals we need to understand that the latest and greatest isn't always the norm. There are so many perfect examples out there to pick from. Whether it's Conficker, coming back again and again to top-up it's prescription, or the seemingly endless Hotel chain data breaches. The flaws are well known to us, and well advertised. Of course, there are always exceptions to the rule, and I'm not saying that zero day bugs aren't going to be exploited by attackers. Whether it's manually, or by worms, trojans, and all that come between. There will always be Companies worthy of targeted attacks after all. Still these are, as the name suggests, exceptions and not the day-to-day that we still seem to fall down on. As security professionals we can't hope to protect 100% against the unknown. Still, there's no such easy excuse for our general failure to protect and educate about the known?

Perhaps we should all spend a little less time thinking about the next amazing attack technique, and a little more time sitting with the application developers, network technicians, security guards, or even management. Don't you think your clients/customers/company would get more out of going back to basics and really understanding the vulnerabilities a little better, or do you think knowing the latest SSL rebinding attack/defense is more important than fixing the aging SQL Injection flaws in your website. It may not be the new hotness, but it's been more than 11 years since it was first discussed.

I'm not trying to say that ignoring the latest threats and vulnerabilities is the way to go. We need a balanced approach after all. Despite what some people say, defense-in-depth isn't dead yet. Just remember, that for the most part, our jobs are to protect against attackers. Whether you're patching things, finding the flaws in your systems, or responding to attacks. The focus should be on what attackers are doing now, with an eye on what they might do next. Some of the most widespread system infections have been caused by vulnerabilities that should have long been fixed. Take some time to look at the news headlines once in a while. SQL injection, weak or default passwords, misconfigured and un-patched systems, business logic failure and client-side exploits rule the roost.

Maybe I'm in the minority, but most security testing I do comes down to the same depressing flaws and vulnerabilities that have been known for years, in some form or another. How many of us who work as penetration testers, can honestly say that the latest technique was the key to breaking through defenses and gaining access. Of those who can honestly say yes, and I'm thinking that's not many, I'm willing to bet these are the companies getting it right. The companies doing the secure development life-cycle, doing the user and developer education, and most importantly, building security into every individual stage. From system and architectural design, through to change management and system maintenance.

I look forward to the time, when the only way to bypass defenses is to reach into that bag of tricks and pull out some new miracle pill. To me this is what penetration testing really is, and where I feel it serves it's core purpose. After all, there's little value in paying penetration testers to point out something that a 15 minute automated scan could tell you! You don't call an ambulance, if all you need is an aspirin.

Sometimes we forget what the real threats to our environment are. We start boarding up the windows and forget all about the side door we left ajar. If this were a zombie movie, we'd be the poor suckers getting blind-sided while searching behind the dresser for our stash.

Where are you going to focus your efforts today?