Developers: Security is Your Problem, Get Over It

James Turner’s post “Developer Week in Review: The overhead of insecure infrastructure” captures the hubris with which many developers approach not only security issues but a number of issues like performance or deployment. Here’s the paragraph Turner uses to hammer home his point:

“Personally, I’m tired of wasting time playing mall security guard, rather than Great Artist. In a world where we had made security a must-have in the infrastructure we build on, rather than in the code we develop, think of how much more amazing code could have been written. Instead, we spend endless time in code reviews, following best practices, and otherwise cleaning up after our security-challenged operating systems, languages and platform. Last weekend, we honored (at least in the U.S.) those who have given their life to physically secure our country. Maybe it’s time to demand that those who secure our network and computing infrastructures do as good a job …”

“Mall security guard”? Could his attitude toward operations be more patronizing? Boy, would I hate to be the guy responsible for application security in James’ group. Does his idea that developers should be “Great Artists” strike you as a bit grandiose? While I think there is some aspect of “artistry” to development, most of us are creating business applications that babysit relational databases. Calling us artists in the context of this post just makes me think of a “Great Artist” developer laying down some edict about not using insecure operating systems and then storming out of the room…. and the Memorial Day reference, wha? No.

Imagining the meeting with “Mr. Great Artist” lays down the law wrt to an insecure OS…

(Great Artist lead developer makes a declaration that Linux isn’t secure enough for him. He announces this, makes an odd comparison to remembering the dead on Memorial Day, and walks out of the meeting before anyone can respond.)

CTO: “What happened?”

Security Guy: “I don’t know, but wow that was INTENSE. All I did was tell him we found a few more SQL injection attacks and he flipped out. He told us we can’t use Linux anymore because it didn’t meet his security standards and then he just up and left. WTFF?”

Another Security Guy: “Yeah, he started talking about how C is a bad language and how it wasn’t his problem that the operating system doesn’t have the capacity to detect…”

Developer in same group: “Well, maybe he’s having a bad day. Listen, can I just fix these security issues. I think he has a point, but I also think he lacks tact. What can we do to address the security…”

Security Guy: “We’ve tried to set selinux to enforce a number of times, but every time I do that he tells me he doesn’t have time to enumerate the ports and files he needs to access. He told me to ‘figure it out’ last time I asked.”

Developer in same group: “Yes, internally he’s made the same rant a number of times, we’ve been trying to get him to let us use a Java Security Policy to lock down access to resources. He said something about security not being our concern…”

Another developer: “…that was fun. He sort of sneered at us and called me a ‘mall security guard’. And, you know what, screw that! My dad’s a mall security guard right now, it’s the only job he could find this economy… understand that I almost quit right there….”

CTO: “Woah, don’t quit. You are one of the only people on the development team keeping the system secure. Come directly to me next time, I have to find a way to keep the Great Artist occupied with something other than being a pain in the ass.”

Project Manager: Alright, so let’s move without the Great Artist. We’ll turn on selinux and we’ll get the Java Security policy up and running. That should solve the problem then…

Another developer: “…sorry to interrupt, but can I make one point.”

Project Manager: “Of course.”

Another developer: “selinux will help us catch some vulnerabilities at the OS level. The Java security policy is another layer of defense, but there are a series of vulnerabilities that are application specific. Things like insecure versions of Tomcat, that need to be updated. Someone on the development team is going to have to be tasked security on an ongoing basis, and we need to work closely with operations on all of these issues.”

Project Manager: “We didn’t budget for that.”

CTO: “Budget for it.”

Project Manager: “Who’s department does that come from?”

CTO: “Good question….. Ok, I have to sit down with Mr. Great Artist and have a very long talk about attitude. We may have more money in the budget after that conversation.”