Bridging the Balkans

Software Magazine, August, 2001 by Paul S. Raines

Security and development need to work together

TO THE UNINFORMED OUTSIDER, a corporate IT organization may appear to be a fairly homogeneous group of gadget-toting, fashion- challenged, techno-babbling geeks. An IT insider would admit to all of the above except the description of being homogeneous. In fact, an IT department is a seething cauldron of competing factions staffed with widely varying personality types. At one end of the spectrum are the developers--the consummate artists of information technology. At the other end are the information security professionals--the watchdogs of the corporate jewels. They seldom see eye to eye. It is into this Balkanized world of information technology that this article ventures bravely forth.

Developers are the creators, the ones who develop the applications that make our lives easier. Yes, they deal in the hardknocks world of compilers, virtual machines, and byte code, but at the core of their being they have the souls of poets. They are intimate with the abstract processes that bring code to life. Where one person sees meaningless strings of incomprehensible Java commands, the developer divines the origins of software existence.

To the developer, rules are meant to be broken and authority is meant to be challenged. After work they are more likely to hop on a Harley than to take the bus home. More likely they go to some trendy hangout joint to quaff and exchange stories with their hacker friends. They ingest exotic foods, wear strange clothes, pierce and tattoo odd body parts, engage in alternate lifestyles--OK, maybe I'm getting carried away, but you get the picture.

In contrast, the information security buzzards sit perched on IT cubicles watching over the world of automation to ensure nothing happens. Why? Because if nothing ever happens then it can't be a security risk. These guys and gals are so devoid of life that they would have to warm up to die. They're so uptight that they squeak when they walk. Their idea of a good time is playing "Trivial Pursuit" and chowing on Ritz crackers and Cheez Whiz. The only time they stay up late is when they're worried that somewhere, somehow, someone in their company is having fun with technology. If Ebeneezer scrooge were alive today, he would no doubt be a respected member of the security profession.

The Caunterplots

Well, you can just imagine how these two types get along. Typically, the conversations in the developer camp go something like this: "OK, whatever you do, don't tell security anything. They can't stop what they don't know about. We'll just develop the application and present it to security as a fait accompli right before it goes to production. If security says anything, then we'll say it's a business-critical application and get the CIO or CEO to pull rank to get the app live in time to make the deadline."

Meanwhile, over in the huddle of the buzzards, the conversation goes something like this: "We know the developers are up to something. They've been whispering a lot lately and holding secret meetings at odd hours. Let's see if we can find out what they're up to. If it's an application, let's go in and ask them lots of audit questions that they don't know the answers to and request documentation we know doesn't exist. When they don't provide answers, we'll embarrass them by reporting them to the CIO or CEO and pull rank to get security built into the app."

Does it have to be this way? Where in the employment contract does it say that developers and security people have to be in a state of perpetual strife? Isn't there an opt-out clause?

Cooperative Survival

Yes, Virginia, there really is an opt-out clause. It's called cooperation in the interests of survival. Businesses are more technology-focused today than ever because better, faster, cheaper technology translates directly into competitive advantage. No company can survive without the applications that bring home the bacon. This is especially true of e-commerce applications that will redefine the nature of business processes for the foreseeable future.

However, applications are becoming increasingly susceptible to being hacked through simple security vulnerabilities. There isn't a day that goes by without an industry security bulletin on a buffer overflow attack, a race condition, or a misapplication of cryptography within an application. It's almost as if the more proficient we become at developing applications with the latest whiz-bang technology, the less secure they are. That's too bad because security is the great enabler of e-commerce.

So, what is to be done? The obvious solution is that security professionals and developers need to work together more closely. The question is, how can organizations make these two very different breeds of bird fly together in formation?

The answer lies with security organizations recruiting more developers into their fold. This goes against the conventional wisdom of most security groups, which tend to look for people with backgrounds in network operations. That's because in the past security has tended to focus on network security--issues such as managing access control, passwords, encryption, and secure server configuration--rather than applications security. Given the importance of applications to the corporate bottom line, this needs to change.