Tuesday 25 May 2010

Coder vs Security - friend or foe?

Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.

Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.

Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.

I used to work with many coders (people that write code) - some
extremely good and some extremely bad. When I look back I would happily
say that I was at some point doing a bit of both - at least in my own

Developers vs code-slingers

is a significant distinction between those two groups at least as far
as I can tell. Developers do their job and write apps the best way they
can, they are proud of their job because they know they did the best
they could. Code-slingers, well... get it done, whatever... Usability is
something they may or may not understand (if it works, it's usable,
right?), quality and elegance rings the bell somewhere but that's not
in their church so nothing to worry about... and security is often
totally unheard of. Sad, isn't it?

I think we've all been there
and done more or less of that - it takes time to learn and even more
time to understand. That requires patience and a lot of energy, and
more than anything it requires a person to say "I want to do it right, I want to understand".

Recently in one of the emails I've found an anonymous quote by a person that was training newly hired staff - he said "I can teach them just about anything, but I can't give them a basic
sense of curiosity
". I couldn't describe it better!

Developers vs Infosec

my opinion the real virtue of a good developer is aiming for perfection
and taking criticism as a chance to improve. It is sometime painful (I
know from my own experience) but we all make mistakes and no matter how
good we are, there will be someone better that will prove we are wrong.
Real developers know how to deal with it because they want their code
to be beautiful in all possible aspects and they are curious people.
Some of those can be real inspiration and you enjoy every second you
spend with them.

Code-slingers vs Infosec

not as skilled as developers, often with bad habits, etc - you can say
'developers in training' and that is ok. The first shock of getting
something that actually does the job is hopefully passing by and they
want more - or they don't...  they are so happy that their code works
that nothing else matters - that's where the problems come from.

not a problem of skill, it's a problem of attitude. You can spend a lot
of time with them trying to explain, demonstrate or even send to some
training that deals with secure coding... still they couldn't care less -
oblivious, ignorant, often arrogant and portraying you (the infosec
person) as their biggest enemy because you prevent them from doing
their job. Yes, I've been there and worked with such people.

Free vs 'for money'

options vary depending on environment. In 'for money' space you have
tools to deal with that - you can and should mentor such people to help
them understand. Sometimes a cup of coffee, friendly chat at the
whiteboard going through the requirements and proposed solutions or
ideas can really make huge difference. If you are not so friendly then
get your company to pay for some good training that will give those
people some good base to do their work (get rid of bad habits, don't
post code snippets on forum with URL to the product, etc) so they get
the carrot.
If that doesn't help, go for the stick - at the end of
the day, that code-slinger or his/her supervisor or their supervisor
will have to face a dilemma of signing off a code for production - it's
a business decision. If you can't block it and don't communicate your
security concerns it will be your fault if things go wrong and your
head on the chopping block. Brutal but simple - isn't it?

In the
free software world, where coder does something for little money (let's
say donations) or no money at all, what is the carrot and what is the
stick? If people care, they get good ratings, maybe more donations,
good publicity and are praised for their work, but if they don't give a
s**t... Oh, hi Daniel!

Free software users will complain, do a lot
of bad PR and a lot of them will go away migrating to other products,
but hold on... in this particular case THERE IS a commercial support
for OpenCart. What will the paid customers do with such response like
we've seen? How do they feel? They pay for support that they clearly
don't get :-(

Lessons to take away

If you are so called code-slinger
try to understand that writing code that works is not all you have to
do. You should create solutions - not problems. Don't behave like a
little kid, put your pride aside for a few minutes and listen to what
people have to say about your work - it really helps, even if it will
ruin your day.

If you are developer, please, be a mentor to the
code-slingers so they understand the beauty of the code and what it is
all about. Be a role model - calm, patient, their best friend and
inspiration - that's how miracles happen.

If you are the infosec
person please remember that saying 'no, you do it wrong' doesn't get
you anywhere. You have to be patient more than ever, explain why you
said 'no' and help find a solution - otherwise you have just created
another problem.

Whoever you are - remember that people
sometimes get frustrated, they have a bad day, they say things they
later regret - it's a design flaw we all have.  Daniel had just
demonstrated it and it got public. Simple 'sorry' can clear the
atmosphere and create a place to work together and solve the problem.

At the end of the day, we should all be friends, not foes... so I'll better shut up before I say something I will regret :-)