Thursday, November 13, 2008

Security: Show Me The Code

This seems to be a recurring theme, lately. I'm one of a team of dozens working on a large project and we have a handful of "security professionals" assigned to the team. We have just finished writing a design document and the security section is just huge; directly proportional to the number of people working on it. Anyhow, a bit of stage setting is necessary. I'm participating in a conference call, we have webex running and a collaborative whiteboard plus document sharing.

Me: "This is a big section on security but, it's not complete."

Security Professional: "Oh, what's missing?"

Me: "Software security."

Security Professional: "What do you mean, there's a whole section on how to configure each part of the software stack!"

Me: "No, I meant the software itself, especially the custom software that will need to be developed."

Security Professional: "As long as it's configured properly ... blah blah blah"

I cut/paste a snippet of code for a SQL injection attack onto the whiteboard.

Me: "How do you detect and prevent this?"

Security Professional: "What's that?"

Me: "Code for a SQL injection attack."

Security Professional: "Oh, I don't know anything about that type of security."

Me: "Security isn't a black box."

After that, I let the silence speak for itself. I recommended that as a start, they visit John Viega's outstanding contribution to the security community and re-visit their section of the document.


Posted by wpbarr at 9:35 AM

Labels: ,

4 comments:

JViega said...

Hey, Good article, and thanks for the props!

John

6:20 PM
Anonymous said...

Your comments got me interested! I think you mean well -but bashing security profs and consultants may not really get the answers you need. Fact is that EA, when executed well is proven (value for money); and yes, can show code if that way inclined.

- I have webex too. Lets talk.

-CISA-Prof: (415) 376 1312 after 4PM PST

3:23 PM
Chris Kempster said...

Hi there, yep, been through that one when trying to complete a strategy for Identity and Access Mgmt. It is a simple issue, the professional taking it to a level for which they feel comfortable, similer to end users providing solution to their domain specific business problems.

To get around this, I used the Soft Systems Method from Checkland (SSM). Using rich pictures and root statements to get the to krux of the issues, and turn it around to a 'world issue' for the security staff, seeing outside of their box's and allowing the guys to pin point the security issues/risks/threats in business speak - given the business pays for it and their (valuable) jobs.

3:14 AM
offshore outsourcing services said...

Nice article...
Thanks for sharing this...
Regards,
Offshore outsourcing

4:35 AM

Post a Comment

Subscribe to: Post Comments (Atom)