November 11, 2013 at 1:39 am
I fully agree...and although I am in the UK I am not a Cyber Commando...just a software engineer 😉
For too long has there been no entry barrier into IT and no driver for proper company lead training. Maybe if this was only the case for front end developers then appropriately qualified/trained/experienced application, enterprise and database developers as well as DBAs and infrastructure engineers could ensure that, at the very least, the corporate technical backbone and back office systems would be less vulnerable.
Will we know that the level of aggression has reached a certain threshold when ones own government forces a free market to enforce these standards? Will they claim that this is for professionalism reasons whereas others might believe that they are protecting the economy of the state?
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 11, 2013 at 4:03 am
Yes and No
While I do think you should have a walled off area I am strongly of the opinion that every organsation should have a fully open pool database / test environment open to absolutely everyone as well this allows the talented to teach themselves and make mistakes.
Only then will you be able to develop the staff to a level where they have both technical competency of database management skills and the perspective of understanding the data.
I have seen too many companies that bunker the SQL Server knowledge and access resulting in the IT department having a lack of perspective on the tasks required by operations and operations having a lack of understanding of things like primary keys audit trails etc. This is also a recipe for excell hell. Where operations start developing whole processes in excell.
I think we need to encourage Dev Ops - its really in everyone's interest.
cloudydatablog.net
November 11, 2013 at 4:41 am
Know of various companies that have lost data. And I know more who turn a blind eye to everything because it will never happen/we trust are staff/etc
Best one I have heard is third party suppliers saying its not their responsibility to secure the database. Yet it is their code, their security, their incompetence that allows are one to hack the system. Pity the Information Commissioner in the UK doesn't give any guidance on this.
November 11, 2013 at 6:10 am
There is plenty of guidance. There are plenty of opportunities to gain and develop the correct skills. What is lacking are suitable commercial pressures to ensure that the appropriate effort is authorised to be put into quality secure development. Without a governance directive, similar to Sarbanes-Oxley (SOX) if only in the resultant shift in emphasis to open and accurate financial reporting, there will be no change.
I am not looking to dissect and analyse SOX, only use it as an example of regulatory driven improvements. (...and, yes, it does have its flaws and detractors [like the ones who will ignore that I have pleaded this not to turn into a review of the effects of SOX].)
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 11, 2013 at 8:06 am
You are very correct about teaching. I do believe there is a place for a very simple bit of code to explain how to do something. However, those should be limited in scope. For example, VB Script help contains a lot of examples on how to use the File System Object. An example with 3-4 lines of code restricted to just what is minimally required to get it working, can be helpful to someone using it for the first time. Any larger examples, for instance an entire script, would be better off filled with correct coding practices. Every class I have ever taken uses only the simplest code, no error checking, no security, nothing. I can see showing a short example to introduce the class to a function, but actually the class would benefit by having real world examples including best practices for security.
I have to point out something you said that I do not believe is reflective of reality. Not only has china been attacking us for quite a while, including stealing data from JPL back under Clinton, but they are doing so much that a recent honey pot was found and attacked by them within days. Our "allies" have been hacking our infrastructure for years as well, including France, Germany and others. Britain may be "formerly" announcing their plans, but don't believe for a second that they have not been engaged in this for quite a while. Countries have hacked into our corporate databases and provided information to companies in their own countries in order to gain an advantage.
The only thing "new" is that people are starting to talk about it a bit more. I don't want to get into a debate about right or wrong, or which side is doing what. The fact is that our leaders have known about these risks for quite a while, and have decided to ignore the attacks. Our corporate leaders don't want to spend the money. Google is a great example as they just decided to start encrypting data between their data centers due to hacking attempts (quite successful ones) by our own government! They knew of the risks when they chose the path they went down, and only now are they doing anything because they are concerned about a loss of business.
Good coding practices are a necessity. Unfortunately it is far too late to start. By the time any country or corporation fixes things, they will have already suffered loss in some form.
Dave
November 11, 2013 at 8:35 am
djackson 22568 (11/11/2013)
...Unfortunately it is far too late to start...
Ignoring the US bias (well, almost ;-)), statements like this are not helpful. It is too late to start on time but unless a journey is started the destination will never be reached. A late resolution is still a resolution and, therefore, better than no resolution.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 11, 2013 at 9:02 am
Interesting article - not bad overall, though it again conflated stored procedures with parameterization, and completely missed not giving the service account admin permissions.
Password security wasn't mentioned (and given the Adobe breach, it's clearly still a critical area) - suffice it to say, use PBKDF2/PKCS#5/RFC2898 with tens of thousands of iterations total, or bcrypt or scrypt with the equivalent.
I have to agree with the posters above - the #1 problem I really see is that it is very difficult to get anywhere close to less-insecure code if you're learning and using any kind of normal sources (classes, books, Internet searches, forums), because even the top quartile of normal sources stop cold at "it compiles and it runs (de minimus)". Try a search on how to use AES encryption in .NET - even setting aside the articles that simply break functionally, you'll almost always see hardcoded salt/nonce and IV (Initialization Vector) values, which are a major security problem, and often you'll see ECB mode (another major security problem - see Adobe).
It's difficult enough to learn to write maintainable or robust or efficient code, given the examples prevalent in almost all sources - adding secure on top of that is a almost impossible unless you look very specifically for secure code... and you can judge the bad articles.
Testing security is also much more difficult that any other coding tests. Testing correctness - well, if you knew what it's supposed to do, you've got your first set of test cases. Testing efficiency - code it three to five different ways, and measure that. Testing maintainability - try to pretend you haven't seen anything about it for 5 years, or show it to any other developer/DBA. Testing security - first you have to know all the attack types, then you have to recognize them, then you have to be able to duplicate them as a test condition...
I do like SQLServerCentral, though - the articles vary, the ratings vary, but the discussions on the articles are very often extremely useful and high quality, pointing out mistakes, oversights, improvements, and alternatives.
November 11, 2013 at 9:11 am
Gary Varga (11/11/2013)
djackson 22568 (11/11/2013)
...Unfortunately it is far too late to start...Ignoring the US bias (well, almost ;-)), statements like this are not helpful. It is too late to start on time but unless a journey is started the destination will never be reached. A late resolution is still a resolution and, therefore, better than no resolution.
Well I apologize for my inadvertant wording. I am having difficulty putting my thoughts to words.
We clearly need to start. However, I think it is important to note that probably all countries, and probably most companies, have already suffered some loss. Few are expending any resources to fix things due to the method used to weigh the costs versus the benefits.
As to a late resolution being better than none, I disagree in some cases. But the reason I disagree is because sometimes a late resolution is too late. Assume a company gets hacked and goes out of business. That they were weeks from deploying a fix is irrelevant. I understand that isn't what you are saying. I assume you mean starting late, as long as you finish prior to any catastrophic event, is better than not starting at all.
The difference between what I tried to say, and what you are presumably saying, is whether starting late is still starting in time to prevent major issues.
If I am saying things wrong, please don't take it as disagreeing with your points. I am not. I am trying to say that sometimes starting late means not finishing at all.
Not sure what you mean by US bias. Snowden clearly showed the US is going too far both internally and externally. However, other countries have been doing the same thing for a long time. I admit to bias against some countries, but certainly not GB.
Dave
November 11, 2013 at 9:38 am
All coding aside, in many to most of our cases, the real question is:
What is the best business case to present to management on why the increased cost, lengthened timelines, increased developer skill requirements, increased testing, and other limitations secure coding entails are worthwhile, and to what degree?
November 11, 2013 at 9:46 am
Nadrek (11/11/2013)
All coding aside, in many to most of our cases, the real question is:What is the best business case to present to management on why the increased cost, lengthened timelines, increased developer skill requirements, increased testing, and other limitations secure coding entails are worthwhile, and to what degree?
Good question, but one I fear has no answer. The terrorist attacks on 9/11 resulted in numerous companies going out of business due to poor disaster planning. Companies still do not grasp the risk. Security is basically the same thing. Unless the people at the top can be made to understand the risk, they aren't going to do anything about it. I don't believe it is possible to make most of the people in charge understand. Most corporate leaders come from finance and sales roles, not technical roles. They focus on increasing sales and profits, decreasing costs. Spending money on IT has always been hard to justify, because the ROI never seems to materialize. Reduced labor costs don't come true due to people being reassigned once automation takes care of something they used to do. Showing an ROI on a security investment? I just don't see that happening right now. Once enough companies are made to feel the pain of not securing their infrastructure, maybe others will start doing so. Proving the value now is probably not possible given how leaders tend to value investment.
Dave
November 11, 2013 at 9:58 am
I'd still argue this is more an internal developer professionalism issue more than a business case.
We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.
If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.
In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.
November 11, 2013 at 10:05 am
Steve Jones - SSC Editor (11/11/2013)
If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.... though many business people might prefer to roll the dice that their information will not be lost/copied.
Clearly, many people do not yet have the skills and knowledge - gaining such does that time, money, and slows down projects, since they would "work" insecurely just as well as they "work" securely.
That last comment is exactly on target, though - security comes in three basic flavors:
1) (At some point in time) You lose your data and/or you lose your systems, you lose your customers, you lose your membership, and you go out of business.
2) (At some point in time) You lose some of your data and/or you lose some of your systems, you lose some of your customers, you spend a lot on immediate remediation, and you suffer reduced business and/or increased cost of doing business
3) (At some point in time) You fail to lose some of your data and/or some of your systems.
It's essentially the same set of arguments as dealing with natural disasters, fires, and so on, without the loss of life and usually without the physical destruction of property.
November 11, 2013 at 12:11 pm
Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.
Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 11, 2013 at 12:23 pm
Gary Varga (11/11/2013)
Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.
Yes, but password management, authentication, secure coding for sql calls, all of these techniques and skills exist. If we all used them from the beginning, as part of our habit, the effort in planning and engagement would be much, much lower.
I'm not saying all security decisions can be removed, but lots can.
Viewing 15 posts - 1 through 15 (of 20 total)
You must be logged in to reply to this topic. Login to reply