Security: Show Me The Code
This seems to be a recurring theme, lately. I'm one of a team of dozens working on a large project and we have a handful of "security professionals" assigned to the team. We have just finished writing a design document and the security section is just huge; directly proportional to the number of people working on it. Anyhow, a bit of stage setting is necessary. I'm participating in a conference call, we have webex running and a collaborative whiteboard plus document sharing.
Me: "This is a big section on security but, it's not complete."
Security Professional: "Oh, what's missing?"
Me: "Software security."
Security Professional: "What do you mean, there's a whole section on how to configure each part of the software stack!"
Me: "No, I meant the software itself, especially the custom software that will need to be developed."
Security Professional: "As long as it's configured properly ... blah blah blah"
I cut/paste a snippet of code for a SQL injection attack onto the whiteboard.
Me: "How do you detect and prevent this?"
Security Professional: "What's that?"
Me: "Code for a SQL injection attack."
Security Professional: "Oh, I don't know anything about that type of security."
Me: "Security isn't a black box."
After that, I let the silence speak for itself. I recommended that as a start, they visit John Viega's outstanding contribution to the security community and re-visit their section of the document.
Posts
4 comments:
Hey, Good article, and thanks for the props!
John
Your comments got me interested! I think you mean well -but bashing security profs and consultants may not really get the answers you need. Fact is that EA, when executed well is proven (value for money); and yes, can show code if that way inclined.
- I have webex too. Lets talk.
-CISA-Prof: (415) 376 1312 after 4PM PST
Hi there, yep, been through that one when trying to complete a strategy for Identity and Access Mgmt. It is a simple issue, the professional taking it to a level for which they feel comfortable, similer to end users providing solution to their domain specific business problems.
To get around this, I used the Soft Systems Method from Checkland (SSM). Using rich pictures and root statements to get the to krux of the issues, and turn it around to a 'world issue' for the security staff, seeing outside of their box's and allowing the guys to pin point the security issues/risks/threats in business speak - given the business pays for it and their (valuable) jobs.
Nice article...
Thanks for sharing this...
Regards,
Offshore outsourcing
Post a Comment