I have trained thousands of developers in writing software security. Its great that developers (and their managers) who are building the systems that run the networks, financial, healthcare, and manufacturing systems across the planet are now starting to care about writing secure code. Here is the scary thing though, most of the time I am the first person that has trained these developers. At the beginning of every
class I ask people how many years of programming they have, and on average most people in the class have at least 3-5 years of programming experience. Then I ask for how many people have had a single day of security training, I will often get one hand on this. So in a class of 30 developers we're likely to have 150+ years of programming experience and one day of security experience! Knowing this, we should not be at all surprised that our systems are
ripped apart at the seams by even semi-skilled attackers.
Software security has two basic problems - security people don't know enough about software (how its developed, configured and deployed) and software people don't know enough about security (authentication, authorization, secure exception handling and so on). Before the Web, this never mattered very much for most enterprise systems. Your code ran on computers you controlled or at least you outsourced to EDS, Perot or IBM systems and there were contracts and other roles and responsibilities in place.
Once, we migrated business transactions to the web the game changed, but here is the key point - the development processes didn't. There have been all manner of changes in how we build software from RUP to XP to Agile methodologies, but relatively speaking there has been very little in secure coding. Sure its growing fast but its a drop in the bucket compared other software changes.
Now the major changes brought on by the cloud are moving these ad hoc "keep building our code the same way" front and center. Not only do managers and architects face the challenge of moving the processes, data, and code that run their business off site, they are also dealing with a myriad of cloud vendors with varying SLAs and policies. Its much harder for management to avoid the security implications of the cloud when its an end to end process that's outsourced as opposed to what appears to be a simple web app. Plus unlike the early days of the web, everyone in the enterprise has at least some experience in data breaches, security incidents, and other security issues, likely both at home and at work.
So I expect and have already started to see a change in perception from above that should hopefully give developers and security people enough leeway to do the things that need to be done to begin to improve security in cloud apps. Unlike the last ten years back, there are "green shoots" of software security innovation all around us - static analysis, federation, identity technologies, SDL, Web service security gateways, to just name a few. Major improvements can and I expect will be made through educating Cloud consumers and vendors on ways to develop, deploy and enforce effective policies.
We have had innumerable failures in software systems and especially in web systems where the game is not human v. compiler but rather human v. human. But here is the silver lining engineers learn more from the bridges that fall down than from the bridges that stand up. We have an enormous pool of things that we know that don't work. What's needed now is codifying knowledge and practice into things that can work at scale.
There is no reason to wave the white flag. Security people do not have to sit passively while the Cloud is built and deployed, its happening right now. We know plenty of things that don't work, and even some that work quite well. Those patterns and practices need to be made actionable by the developers who are building the cloud right now.
The technology issues with regard to improving security are vanishing, with more education the mindset of developers and security people can be improved to make them radically more effective in building more secure systems. We are not stuck with the security situation of today, what we need is engineering - specifically safety engineering. Nobody would build a car today with the same lack of safety of a car from the 1950s.
Building cars today means ABS, airbags, independent verification and a whole host of techniques that make the driver safer. Market forces and improved engineering practices will go a long way to addressing security in the cloud, but we must begin it now.
I think market forces are starting to happen. I know that engineering practices can be improved through more clear requirements for software, better tools for developers to write secure code, and training for developers so that they can surprise us all with the solutions they come up with, just like they do with all the other cool stuff on the web only this time - surprise us with safety features.
Comments