Jim Manico had an interesting comment in yesterday's post which centered around empowering developers
You're missing a big point here : you need to enable developers. Train them, give them secure coding tools like ESAPI, have assessment resources work with them, and give them time to fight the "legacy issue". The entire business needs to take ownership, not just your developers.I should have been more clear, Jim's list is excellent and is exactly what I was trying to describe in empowering. People say that software security and crypto is hard, but that is crazy talk. Do you have any idea how hard it is to program to database without JDBC or ODBC? Or how about if SQL didn't exist? How easy is SELECT * without SQL? The reason average programmers can effectively program databases is not because database programming is intrinsically easy, its because there are 30 years of engineering to get the right level of abstractions in place.
There is nothing intrinsically hard about, for example, authorization, its just that we don't have the right abstractions integrated in the right places yet. In the case of authorization we need systems that are more flexible that rely on claims and attributes instead of sandboxes that require extensive a priori knowledge. But its simply a matter of establishing the right abstractions and engineering.
My favorite whipping boy the network firewall is a great example of the kind of damage that the wrong abstraction can do. There are literally millions and millions of vulnerabilities that are created by shortcuts that developers and architects take (and that security people sign off on) because service XYZ and component ABC are "inside the firewall". We never hear, say, "so how does your message queue actually know the identity its authorizing?" because the queue is "inside the firewall" these questions are never asked.
So the right abstraction is critical, and that gives way to engineering, this is where ESAPI, Bandit, Geneva and others will hopefully step in and reduce the friction we face now so your average developer can program security services as easily as talking to MySQL or SQL Server and not have to be on Mr. Toad's wild ride to make an authorization decision.
I approve of this message. You have redeemed yourself, Gunnar. *smile*
Posted by: Manicode | October 11, 2009 at 01:32 PM
This is a great post. Thanks!
Posted by: Brian | October 14, 2009 at 01:36 PM