Tuesday, December 2, 2008

Getting Developers Interested in Security

I find it amazing in this day and age that there are still so many common software security issues released to the wild. I'm not even talking about flaws in OS code or database or other server platforms. I'm only focusing on the common, run of the mill issues in the software written day in day out.

There is little excuse for SQL injection to work anymore. Parametrize your queries people. It only take a couple of seconds longer if you have any competency typing.

Cross site scripting attacks should be a thing of the past. HTML Encode all the content that you receive from users before showing it on a page at the very least. It's just an extra function call here and there.

Even cross site request forgery, while not much is heard about it, is very dangerous. Yet it has a simple solution. Double submit a unique value in a cookie and form field with every post you make.

The list goes on, but many developers don't take the time to make these small habitual changes in the way they code. And it's these small changes that would prevent most of the security issues in today's internet applications. Why do these vulnerabilities keep making it into production software?

One reason is that security is not usually seen as a glamorous part of the application. Yes, it's vitally important. But few others in most companies pay it much attention. They expect it, but they don't come back with stories of customers raving about security.

Another reason is that at companies writing products, most of the security work goes in (or should go in) up front. Once it is done, there is not much else to do when compared with adding new features. I'm not saying the work can stop. Good security is an ongoing task. But like any interest, if time is only sporadically allocated, becoming an expert is difficult and the interest will fade.

Furthermore security is rarely of constant interest to the managers and directors of companies. Again they expect it, but they can forget that it takes time to secure software. Time to learn and time to act on the information. If they will not make the time in their never ending road maps and milestones of new features, the developers will follow their lead and only make it an after thought.

The task of getting other developers to take enough of an interest to change their habits can be challenging though.

The first step that I see is to get the directors and managers interested. Without their support and attention, security is just another nice to have. Take the time to have your software audited by a third party and spend the resources fixing the issues. Create a position in your team that has the authority and resources to address these issues. Educate entire teams on vulnerabilities so that designers design correctly, QA tests for know problems and developers develop code to specification in order to pass the tests.

That's fine within an individual company. The next step is to get developers at large to take an interest. I don't even know how to go about that. Everyone would need to help. Software security might be a good required course in college. Bloggers need to keep on blogging to raise awareness. Make security a selling point on web sites and sales catalogs. When hiring new employees, insist that they know about basic issues and the appropriate solutions. Provide material when new employees enter the company that helps indoctrinate them into a culture that takes security seriously.

In the end, getting developers to write more secure code is not just a job requirement for programmers, it's a wider change in mind set that needs to happen. It's not only the coders' responsibility to see that the applications are written securely. It's a right of clients to demand better software. It's the duty of the directors and managers to allocate appropriate resources. And effort must be made by all employees to understand the issues and help make software more secure in whatever way they can; plan, design, write, test and buy with security in mind.

No comments:

Post a Comment