Kerckhoff's Principle and Secret Sauce Consultancy
23rd May 2021
Kerckhoff's Principle of cryptography states that "a cryptosystem should be secure even if everything about the system, except the key, is public knowledge".
I would also apply this to consulting and to security in general. The inverse of Kerckhoff's principle is a system whose only value lies in its workings remaining a secret. The work of a security team member or consultant should still be valuable even if all the steps to replicate it are public knowledge. I frequently encounter reports where remedial advice or findings fail to mention how they were confirmed, where tool output is completely cut out, and even where the confirmatory tool's name is not mentioned.
The proud techno-mage, having completed the vulnerability scan, jealously guards their methodology, worried that their time usage will need to be justified. But your recipients will always vary in background, experience, and knowledge. A project exists to provide value, to identify, catalogue, and _clearly_ explain discovered risks, and walk the client through the process of addressing them. Without clear and frank discussions about how they too can replicate the risk (include the GitHub link you masochist!), this is painful.
If the idea of including your tool data, detailing the steps you went through somehow removes the magic, or worse, gives you a feeling that now your efforts were useless... you probably haven't done enough.
Your efforts shouldn't rely on ignorance to seem impressive; at best your technical approach will remain forever brittle, waiting to be shattered by the point of contact who knows too much. At worst, you'll turn inwards away from tooling, and create an arcane methodology that slowly becomes ever divorced from openly shared best practice in the effort to create that which none other can replicate.
Share the knowledge; create an accessible report. Make your next penetration test harder for yourself by fixing the issues you've exploited. It's the best way to improve.