Many years ago Robert X Cringely sagely observed that there are only two types of programmers: hippie programmers and nerd programmers. The Hippie programmers do the right thing, the wrong way. The ner programmers do the wrong thing, the right way. I will pause a moment here for you to mentally categorize the programmers you have worked with.
There's lots of examples of these personality types in software security, introducing nonces to deal with CSRF is a nerd programming idea, it attacks the CSRF problem, but it does it the wrong way (introducing state in the middle tier). As for Hippie programming examples, doing the right thing the wrong way, how much time do you have? The entire Internet was built this way.
In security, we're often faced with the choice of doing the right thing or doing things right. This comes up over and over, and a recent post by Sejal Kamani on Fortify's blog discussing SAP/ABAP security shows why
What is immediately evident is that even today most of the time and money spent in securing SAP systems revolves around authorization checks, single sign-on, SSL, segregation of duties and other security features. As important as these components are, it only tells half the story. Very little is being said and done about securing these systems at the application level.
Initially, this was not as big a concern, as most of the SAP systems were internal to the enterprise. But with other software systems, as they established an online presence, ABAP applications were found to be vulnerable to the same attacks that have plagued Java and other web applications for years.
The post goes on to list common web vulnerabilities like XSS, Command Injection and Path Manipulation where SAP has vulnerabilities. There are some reasons for this such as the good ol' we're inside the firewall assumption which was valid until it wasn't.
Sejal concludes that "And as SAP systems hosting business critical applications move online, SAP applications should be held to the same software security reviews and standards as other web applications." I would go further and say that because of what SAP systems represent - your business supply and transaction chain - they should be held to a higher standard. Assinging security review priority based on downside risk is an oft-missed distinction in our threat obsessed industry. But that is not the point of this post, the SAP example illustrates that what's necessary to deal with malice is not the same as access control.
Infosec teams need to define distinct roles in the chain of responsibility for Access Control and Defensive services.
Access Control services deal with Identity and Access Management, and perform authentication, authorization, attribution, provisioning and other services. These are crucial enterprise security services, but they mainly relate to getting people who work for and do business with you the proper credentials, policies and tokens to do so. They do little defend against malice, for that we need...
Defensive Services are services that deliver a Margin of Safety to the enterprise through attack surface reduction, monitoring, encryption and other methods.
The distinction between Identity and Access Management and Defensive services are that the former can be found in functional flows and use cases, the latter are conservative architectural elements and processes for that which is outside the spec.
They are both critical to security architecture, they are both mainly sourced out of the information security team, but other than that they have very little in common with each other. In fact the staffing models, tools, skill sets required and where and how to participate in the SDLC to deliver these two Security service types could not be much different.
The foundation of the Security Triangle shows the differing mindsets at work. Identity and Access Services are about doing the right things -authenticating and athorizing your employees, customers and partners. Have Hippie programmers build these. Defensive services are about dealing with malice - defensive coding, input validation, output encoding - have Nerd programmers build these.