One day, Mulla announces him to be the most hospitable man at the Teahouse: he invites a bunch of people for lunch at his home—the crowd and Mulla march towards the house.
“Just wait here. I will let my wife know.” Mulla said.
The hopeful crowd waits outside the house.
Mulla’s wife exploded on him when she knew he invited strangers for lunch.
“No way. I am not cooking for them. Tell them to go away.” she shouted.
Mulla apologised and said, “I can’t go outside now. My reputation of being a most hospitable man is at stake.”
“To hell with your reputation Mulla. You go upstairs. I will let them know you are out.” she blasted.
Mulla’s wife went outside and declared, “Mulla is out. He is not at home.”
One of them from the puzzled crowd said, “How? We saw him get into the house.”
She does not respond.
Another one from the crowd said, “Yes. Nobody has come out from the front door.”
And another one, “How is this possible?”
Mulla watching from the upstairs window, could not resist.
“I could have gone out from the back door, couldn’t I?
We often focus on the usual security controls for application security. Right from the business requirement to delivery, our attention is to ensure that we make the front end as secure as possible.
In Mulla’s story, the crowd, his wife or the reader would never think of the back door. Therefore, the punch line works and makes you laugh. The humour has its place, but if we think carefully, it raises the question when you reverse the perspective.
If Mulla can escape from the backdoor then why can’t anyone from the crowd can also enter to the house from the backdoor?
Do you get the point?
Why is there a backdoor?
It could be there for legitimate purposes, such as access to the backyard garden. In the technical world, you need a backdoor to reset your password. But you must prevent it from threat actors with authentication and authorisation — the door lock.
We implement security controls to prevent cybersecurity attacks or breaches. But we pay less attention to the heart of the application — the code itself. Therefore, scanning your code with SAST and DAST from the first day is crucial.
A developer can also create the backdoor entry. You have to understand human is the weakest security link. Therefore, investing money in your people with training & education to become cybersecurity is the key. It’s the core CISSP concept.
I have been fascinated with Mullah Nasruddin’s stories since childhood. He is a folk hero of the Muslim world.
You might be interested to read SALT IS NOT WOOL story to understand risk, threat and vulnerability.
I read a few stories and decided to adapt and integrate his wisdom, wit and humour into cybersecurity. The original story name is THE ALTERNATIVE— you can read it here.
This is the second article of the ongoing series — Cybersecurity With Mulla Nasiruddin.
If you like this article, please subscribe to this blog and newsletter.