Bringing Security into an Insecure world
People knowing computer security in depth are scarce. Resolving this is a key problem for creating a more secure world.
It is possible to identify several problems today;
Some developers have no security education at all. For some reason, it has traditionally not been viewed as mandatory knowledge for software developers.
A lot of security education is overly academic. For example, university and colledge courses tend to cover a lot of subjects into a single course; ranging from secure programming, secure engineering, to cryptography other very theoretical information security problems in a single course.
Vendor driven security education is often overtly product oriented. For example, it is nice that a virtual machine supports running code in a “least priviledge” mode, or that a database supports multiple independent security lables – but although all this is powerfull security engineering features, does it apply to the problem facing everyday bulkwise software developers? Does it help developers deal with their security problems?
So, it is easy to identifify problems, but how about some ideas for resolving problems? Here are my ideas:
You how know security: bring it out to the people!
Security has been to much of a something “by the geeks for the geeks”. It is time to realize that it just don’t cut it. You cannot complain about the state of the world, if you are not doing your efforts to change the world.
- Don’t just keep to elitist forums populated solely by security geeks. Discussing security with them may be interesting, but why discuss topics with people who allready know them?
- Go to programming forums / communitys and spread the knowledge! Personally, I regullary discuss security issues in code examples posted in development forums / communities. Just pick a forum and monitor the code there, you will see a lot of insecure code which you can enlighten developers about how to fix.
- Put the information where anyone can and find it. Find the sites which are used as references by the masses – and put the information THERE, where everyone find information. That way, not just security geeks (with their white, grey or black hats) will know about the problems, nor just developers, but people in general will have a good chance to comprehend why and when security is important. For example, I work with http://en.wikipedia.org/, one of the most popular information sources out there. I bring security knowledge such as known exploit methods into those forums, and take great care to explain them in words a lot of people can understand. Then I try to ensure that popular general articles (such as e.g HTTP Cookie article) links to known security issues related to that article.
Focus on secure programming.
Today we often focus on a lot of technically or academicily interesting problems, which are not really down to earth.
- Secure engineering is a complex subject which often has no good mapping to actuall problems facing developers. “Least privilege” is an excelent example of a good secure engineering principle, which in practice is completely useless in many development projects (as requirements change all the time, and a module which is designed to require no special privileges a few weeks later suddenly may need to execute external programs). Lets face it: secure engineering is excelent, but it is way off from what most customers and software vendors are ready to pay for today.
- Cryptography is another field which is overly popular in academic or vendor driven education. Okey, this is fun and interresting to security geeks, but… reallity check! Most security guys don’t do cryptography, and among software developers it is probably 0.001% which ever are involved in implementing cryptographic protocols. Is there any sane explaination why it is popular to talk or educate about cryptography? It is so far off the “must know” list that it is completely incomprehensive why the few resources are available are put into this area.
But there is one subject which is relevant for most developers, and it is secure programming.
Most flaws are due to insecure programming (no input sanitazion / validation / cannonicalization, no protection against known security attack types), so focusing on secure programming is really to focus on the most urgent and critical aspect.
Also, developers understand programming, and secure programming can be taught to any programmer – it is speaking security in terms programmers can understand. Beginning with secure programming is easy, most developers will comprehend this aspect of security, some developers will move on and learn more about of security aspects.
Universities/Colleges: Change the minimal level of education!
University and colleges need to shape up. This will ensure that in 5 – 10 years, the avarage developer will be better qualified to perform his work. All developers needs to know security, and especially important is secure programming, which should be taught to anyone who is taught programming. Why not include secure programming is basic programming courses?
Leaving security to be taught through working experience is just plain unacceptable. It is only big companies or security oriented companies which at all have anyone to teach security - most developers will therefore never get taught by security experts. Besides there is a financial aspect: educating students is super-cheap. Educating professionals means a major loss of revenue. It is seems rather obvious that socity is loosing both money and security by not properly teaching security in schools, does it not?
Byers: Require security expertice
When contracting someone for e.g. developing a new software, why not requiring that the guy can show that they are qualified to develop secure software? Or better put: why pay big bucks for someone who has anbsolutely no idea how you design a secure program?
Althogh you probably cannot get more than a certificate or something (which really doesn’t say much), it will be a clear message to contractors that security is a requirement. The possibility of loosing customers in the future will work as a major factor in making consult companies pay for hiring new staff or educating current staff.
And those are my ideas, what are yours?
Regards,
bluefish & some of the other 11a guys