Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.
Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.
Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.
Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.
I used to work with many coders (people that write code) - some
extremely good and some extremely bad. When I look back I would happily
say that I was at some point doing a bit of both - at least in my own
opinion.
Developers vs code-slingers
There is a significant distinction between those two groups at least as far as I can tell. Developers do their job and write apps the best way they can, they are proud of their job because they know they did the best they could. Code-slingers, well... get it done, whatever... Usability is something they may or may not understand (if it works, it's usable, right?), quality and elegance rings the bell somewhere but that's not in their church so nothing to worry about... and security is often totally unheard of. Sad, isn't it?
I think we've all been there and done more or less of that - it takes time to learn and even more time to understand. That requires patience and a lot of energy, and more than anything it requires a person to say "I want to do it right, I want to understand".
Recently in one of the emails I've found an anonymous quote by a person that was training newly hired staff - he said "I can teach them just about anything, but I can't give them a basic
sense of curiosity". I couldn't describe it better!
Developers vs Infosec
In my opinion the real virtue of a good developer is aiming for perfection and taking criticism as a chance to improve. It is sometime painful (I know from my own experience) but we all make mistakes and no matter how good we are, there will be someone better that will prove we are wrong. Real developers know how to deal with it because they want their code to be beautiful in all possible aspects and they are curious people. Some of those can be real inspiration and you enjoy every second you spend with them.
Code-slingers vs Infosec
Mostly not as skilled as developers, often with bad habits, etc - you can say 'developers in training' and that is ok. The first shock of getting something that actually does the job is hopefully passing by and they want more - or they don't... they are so happy that their code works that nothing else matters - that's where the problems come from.
It's not a problem of skill, it's a problem of attitude. You can spend a lot of time with them trying to explain, demonstrate or even send to some training that deals with secure coding... still they couldn't care less - oblivious, ignorant, often arrogant and portraying you (the infosec person) as their biggest enemy because you prevent them from doing their job. Yes, I've been there and worked with such people.
Free vs 'for money'
Your options vary depending on environment. In 'for money' space you have tools to deal with that - you can and should mentor such people to help them understand. Sometimes a cup of coffee, friendly chat at the whiteboard going through the requirements and proposed solutions or ideas can really make huge difference. If you are not so friendly then get your company to pay for some good training that will give those people some good base to do their work (get rid of bad habits, don't post code snippets on forum with URL to the product, etc) so they get the carrot.
If that doesn't help, go for the stick - at the end of the day, that code-slinger or his/her supervisor or their supervisor will have to face a dilemma of signing off a code for production - it's a business decision. If you can't block it and don't communicate your security concerns it will be your fault if things go wrong and your head on the chopping block. Brutal but simple - isn't it?
In the free software world, where coder does something for little money (let's say donations) or no money at all, what is the carrot and what is the stick? If people care, they get good ratings, maybe more donations, good publicity and are praised for their work, but if they don't give a s**t... Oh, hi Daniel!
Free software users will complain, do a lot of bad PR and a lot of them will go away migrating to other products, but hold on... in this particular case THERE IS a commercial support for OpenCart. What will the paid customers do with such response like we've seen? How do they feel? They pay for support that they clearly don't get :-(
Lessons to take away
If you are so called code-slinger try to understand that writing code that works is not all you have to do. You should create solutions - not problems. Don't behave like a little kid, put your pride aside for a few minutes and listen to what people have to say about your work - it really helps, even if it will ruin your day.
If you are developer, please, be a mentor to the code-slingers so they understand the beauty of the code and what it is all about. Be a role model - calm, patient, their best friend and inspiration - that's how miracles happen.
If you are the infosec person please remember that saying 'no, you do it wrong' doesn't get you anywhere. You have to be patient more than ever, explain why you said 'no' and help find a solution - otherwise you have just created another problem.
Whoever you are - remember that people sometimes get frustrated, they have a bad day, they say things they later regret - it's a design flaw we all have. Daniel had just demonstrated it and it got public. Simple 'sorry' can clear the atmosphere and create a place to work together and solve the problem.
At the end of the day, we should all be friends, not foes... so I'll better shut up before I say something I will regret :-)
Developers vs code-slingers
There is a significant distinction between those two groups at least as far as I can tell. Developers do their job and write apps the best way they can, they are proud of their job because they know they did the best they could. Code-slingers, well... get it done, whatever... Usability is something they may or may not understand (if it works, it's usable, right?), quality and elegance rings the bell somewhere but that's not in their church so nothing to worry about... and security is often totally unheard of. Sad, isn't it?
I think we've all been there and done more or less of that - it takes time to learn and even more time to understand. That requires patience and a lot of energy, and more than anything it requires a person to say "I want to do it right, I want to understand".
Recently in one of the emails I've found an anonymous quote by a person that was training newly hired staff - he said "I can teach them just about anything, but I can't give them a basic
sense of curiosity". I couldn't describe it better!
Developers vs Infosec
In my opinion the real virtue of a good developer is aiming for perfection and taking criticism as a chance to improve. It is sometime painful (I know from my own experience) but we all make mistakes and no matter how good we are, there will be someone better that will prove we are wrong. Real developers know how to deal with it because they want their code to be beautiful in all possible aspects and they are curious people. Some of those can be real inspiration and you enjoy every second you spend with them.
Code-slingers vs Infosec
Mostly not as skilled as developers, often with bad habits, etc - you can say 'developers in training' and that is ok. The first shock of getting something that actually does the job is hopefully passing by and they want more - or they don't... they are so happy that their code works that nothing else matters - that's where the problems come from.
It's not a problem of skill, it's a problem of attitude. You can spend a lot of time with them trying to explain, demonstrate or even send to some training that deals with secure coding... still they couldn't care less - oblivious, ignorant, often arrogant and portraying you (the infosec person) as their biggest enemy because you prevent them from doing their job. Yes, I've been there and worked with such people.
Free vs 'for money'
Your options vary depending on environment. In 'for money' space you have tools to deal with that - you can and should mentor such people to help them understand. Sometimes a cup of coffee, friendly chat at the whiteboard going through the requirements and proposed solutions or ideas can really make huge difference. If you are not so friendly then get your company to pay for some good training that will give those people some good base to do their work (get rid of bad habits, don't post code snippets on forum with URL to the product, etc) so they get the carrot.
If that doesn't help, go for the stick - at the end of the day, that code-slinger or his/her supervisor or their supervisor will have to face a dilemma of signing off a code for production - it's a business decision. If you can't block it and don't communicate your security concerns it will be your fault if things go wrong and your head on the chopping block. Brutal but simple - isn't it?
In the free software world, where coder does something for little money (let's say donations) or no money at all, what is the carrot and what is the stick? If people care, they get good ratings, maybe more donations, good publicity and are praised for their work, but if they don't give a s**t... Oh, hi Daniel!
Free software users will complain, do a lot of bad PR and a lot of them will go away migrating to other products, but hold on... in this particular case THERE IS a commercial support for OpenCart. What will the paid customers do with such response like we've seen? How do they feel? They pay for support that they clearly don't get :-(
Lessons to take away
If you are so called code-slinger try to understand that writing code that works is not all you have to do. You should create solutions - not problems. Don't behave like a little kid, put your pride aside for a few minutes and listen to what people have to say about your work - it really helps, even if it will ruin your day.
If you are developer, please, be a mentor to the code-slingers so they understand the beauty of the code and what it is all about. Be a role model - calm, patient, their best friend and inspiration - that's how miracles happen.
If you are the infosec person please remember that saying 'no, you do it wrong' doesn't get you anywhere. You have to be patient more than ever, explain why you said 'no' and help find a solution - otherwise you have just created another problem.
Whoever you are - remember that people sometimes get frustrated, they have a bad day, they say things they later regret - it's a design flaw we all have. Daniel had just demonstrated it and it got public. Simple 'sorry' can clear the atmosphere and create a place to work together and solve the problem.
At the end of the day, we should all be friends, not foes... so I'll better shut up before I say something I will regret :-)
Leave a comment