Introducing the concept of application security.
More to the point, introducing the concept of application security to the ones who need it most: the application developers.
Sometimes I’m amazed at their obtuseness, really. We’ll have a conversation that goes something like this:
Me: You need to validate your input.
J. Random Luser Developer: But this application doesn’t take user input.
Me: Can the user click on anything?
JRLD: Uh, yes, but --
Me: Can the user type anything into that SEARCH BOX AT THE TOP OF THE PAGE?
JRLD: Yes, but --
Me: Then it’s input and you need to validate it.
JRLD (totally uncomprehending): Why?
Me: Because hackers can create input that will cause your application to break or allow them to get around access controls.
JRLD: And this is bad because ... ?
Me: You’re writing the largest financial application in the company and you have to ask why this is BAD??!??
JRLD: Who would do something like that? This application is only internal, you know. Besides, it would take too much work to redesign it the way you’re asking.
Me (to deputy): Take over, will you? I suddenly feel the need to go for a walk. Before I hurt him.
My forehead wasn’t always keyboard-shaped, you know. But I’m seeing more and more of this syndrome.
Developers don’t understand the basics of what their code does, thanks to GUI-based object-oriented programming. Or they’re re-using someone else’s code and don’t understand it either. They don’t even understand how HTTP works, for crying out loud: how you can talk directly to a web server or modify your browser’s requests to send anything you want. They honestly don’t believe you when you try to explain that any application could be a target, and that there is a real risk out there even if they don’t see it. Because they don’t understand it and have never been exposed to it, they automatically assign it a probability of damn-near-zero.
And bottom line, it’s not their call to make. They don’t get to accept risk on behalf of their organization. It needs to be done by the management, in a well-informed manner. And yet, this is what developers are doing all over the world: making risk decisions that their managers don’t even know they’re making. They’re doing it completely in the dark, in many cases.
So how do you battle this kind of stubborn ignorance? I don’t have time to teach them all about risk analysis, or even teach them the programming knowledge they’re clearly missing. I don’t really want to resort to the “Because Security said so,” either. How do you deal with the equivalent of a Flat-Earther who doesn’t get it, doesn’t want to get it, and yet is primarily responsible for making sure your cruise ship gets safely to New York?
Please help, because it’s just a matter of time before we find that iceberg.
Posted by shrdlu on Wednesday, August 08, 2007(15) Comments • Permalink •
