The Poor State of Secure Coding

  • Comments posted to this topic are about the item The Poor State of Secure Coding

  • A lot of people are using .Net.  The problem is that most .Net developers are more like regular people than they are developers. They don't really understand enough about how code executes to be aware of security holes.  They are not "gear heads".  To be good at security you have to be able to see security holes while you are coding your own code.  A person like that is a thinker, a "gear head".  They don't see text on the screen while they are programming, they see behind it.  Those kind of people are missing.

  • These firms that don't take security seriously are going to get a rude awakening once GDPR comes into full force. This is maybe the biggest change in the I.T. space since the Y2K bug. The UK government, whether it is under Corbyn or May, are going to pursue aggressively the big names (4% of the total turnover in fine).  Now every big firm must hire/appoint a Data Protection Officer that will have the same kind of power as a COO or a CFO.  
    Actually, thanks to this new piece of EU inspired bureaucracy, we might enter a new era of cyber warfare between firms. Imagine two firms competing for the same slot - say Tesco vs Asda. One firm could hire Hackers or simply disgruntle employees to leak some client data from their competitor into the dark web. Heavy fine (4% of the total turnover remember!!) ensued because the firm wasn't capable to protect the client data. Share plummets and the loser firm lose its reputation, etc. Until a jurisprudence is established, what constitute "reasonable steps to secure data" is open to anyone interpretation.

    Unfortunately, although my firm has appointed some security advisor, he has not yet grasped the amount of changes at the data governance level that are required to be compliant by May 2018. I'm myself feel a bit overwhelm: it is not just about encrypting all the tables/files containing client data (identifying those is a challenge by itself - I have for example not a clue on where do we capture and store the IP addresses for web analysis). It is about redefining security around SSRS reports (more than 600 of them) to make sure that only people privy to the information can see them (we have almost 2000 users). Which means that the managers itself needs to redefine their own level as well as their employee's level of access. It is about having a quick process to erase all client data (remember that people will have the right to be "forgotten") and replace it with dummy data (we still need to perform analysis on the data). It is about figuring out what each of us need to do if a breach happen (72 hours response time). I mean, if on the first of July 2018 if someone bring and copy across some data on their USB drive (whether it is a DBA contractor copying a database or employee just extracting from SSRS some data into CSV) and sell it on the dark web, what are we supposed to do in the 72 hours period?? And all of this without any new budget available because the board has not a friking clue of the actual scale of the work involved... Rant over! 🙂

  • I'd say we need to hire white hat hackers.  I knew one.  To say he was greatly unappreciated by the powers that be would have been an understatement.

    You'd be amazed at what turns up in web and application server logs.  You many think you've got your bases covered by encrypting and securing your DB servers.  That does you damn all good if someone is writing out "helpful" error messages in clear text containing PII information.

  • The state of coding is poor, with far too many developers understanding how to write secure code

    I suspect that this is a typo, It is not so much the understanding as the interest. I've been to several presentations on security at PASS that have been excellent. Besides a few DBAs monitoring their servers remotely on laptops at the back of the auditorium, I've been almost the only keen and alert attendee. DBAs and developers probably know a bit about security, but are extraordinarily uninterested in it. I was pretty complacent until I worked in a company that employed a hacker to test security on all systems before they went live, and also had an expert in intrusion detection. The internet is a wild and ruthless place. I urge everyone to get up to speed and up to date on database security in all its aspects. Things aren't going to get better.

    Best wishes,
    Phil Factor

  • It's not the coders, it's the C-level folks and investors that don't want to pay for quality code, training or processes.

  • chrisn-585491 - Tuesday, June 6, 2017 6:06 AM

    It's not the coders, it's the C-level folks and investors that don't want to pay for quality code, training or processes.

    Or it could be that the C-level folks and investors are not willing to pay for quality coders.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Data breaches are becoming as common and "situation normal" as pot holes in the road. There seems to be this prevailing attitude that, if one "important" person has their identity stolen it's a tragedy worthy of a congressional investigation, but if 1,000,000 "regular" people have their identify stolen it's page 10 news for a single day.

    I use a password app, not OneLogin but another one. But I don't store my complete password. Instead my passwords are two-part, I only store the first part, and enter the 2nd part manually. Yes, this somewhat handicaps the utility of the app in that it can't auto login for me, but at least I'm covered from the worst case scenario where the password store is compromised.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • This is, as always, NIMBY.

    Truth is, it's all of the above. Made worse by the fact everyone insists on a (nearly) infinite attack surface, out of simple convenience. Convenience always trumps security, anyone who's ever dealt with PHBs knows that.

    Another important problem is the Rube Goldberg nature of our systems, from development tools on up. The more complex, the more places for bugs, the easier time hackers have and the more impossible we make it for the good guys.

    Rushing code is part of it, DevOps is part of it, management is part of it, C-level is part of it. There's all kinds of blame to go around and nobody wants to pull a chair and tuck into the crapfest that is modern IT.

    As for GDPR, that's yet another government stupidity. Not the goal, but the execution. When you have a million plus coders turning out code by the oceanful, depending on tools that are themselves full of holes, to build these cartoon-level complex mousetraps, well, good luck with that. 😀

    Either it will be quietly retired, there will be a political bloodbath or risk-adverse companies will simply pull out of the EU.

  • Phil Factor - Tuesday, June 6, 2017 2:17 AM

    The state of coding is poor, with far too many developers understanding how to write secure code

    I suspect that this is a typo, It is not so much the understanding as the interest. ...

    Not sure I'd fully agree. The attacker has exactly one 'job', break in. The developers are balancing usability, reliability, performance, features etc, often trying to achieve a balance. In many cases the attacker understands security more than the developer. It's a much tougher job, as seen by the recent attacks on security savvy outfits like Microsoft, or even the NSA and CIA. With nation states and militaries involved, weaknesses will be found and will get into the wild.

    Looking to stricter laws will do little. Traffic accidents are a big problem, but tougher laws don't really change things much because most people don't really expect to be 'the one'. Hence we do things to reduce the effect: air bags, crash standards, ambulance services etc. As with terrorism, there is no way to fully protect the overall system.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Good article, Steve. I think I've not been as good as I should have been. A lot of it is the pressure to get a deployment out there ASAP, that it seems to override all other considerations. And I don't think the training on writing secure code is that good, at least I've not had much of it.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • Defending yourself from hackers is a lot like dealing with insects. You have to keep the goods locked up tight behind firewalls and encryption, and then lay out some honeypot traps along the perimeter. Eventually a drone will take a poison credit card number back to the queen and destroy the nest.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • David.Poole - Tuesday, June 6, 2017 2:07 AM

    I'd say we need to hire white hat hackers.  I knew one.  To say he was greatly unappreciated by the powers that be would have been an understatement.

    You'd be amazed at what turns up in web and application server logs.  You many think you've got your bases covered by encrypting and securing your DB servers.  That does you damn all good if someone is writing out "helpful" error messages in clear text containing PII information.

    I bet. Have a friend that can't use most monitoring products because they are concerned about data leakage into the monitoring db. I bet weblogs and app logs are full of this stuff.

  • Phil Factor - Tuesday, June 6, 2017 2:17 AM

    The state of coding is poor, with far too many developers understanding how to write secure code

    I suspect that this is a typo, It is not so much the understanding as the interest. I've been to several presentations on security at PASS that have been excellent. Besides a few DBAs monitoring their servers remotely on laptops at the back of the auditorium, I've been almost the only keen and alert attendee. DBAs and developers probably know a bit about security, but are extraordinarily uninterested in it. I was pretty complacent until I worked in a company that employed a hacker to test security on all systems before they went live, and also had an expert in intrusion detection. The internet is a wild and ruthless place. I urge everyone to get up to speed and up to date on database security in all its aspects. Things aren't going to get better.

    Thanks, corrected.

  • Eric M Russell - Tuesday, June 6, 2017 6:20 AM

    chrisn-585491 - Tuesday, June 6, 2017 6:06 AM

    It's not the coders, it's the C-level folks and investors that don't want to pay for quality code, training or processes.

    Or it could be that the C-level folks and investors are not willing to pay for quality coders.

    It's both. Coders don't want to change habits or learn, at least no shortage don't. Certainly investment in training or slowing a process to help people learn is an issue from management.

Viewing 15 posts - 1 through 15 (of 24 total)

You must be logged in to reply to this topic. Login to reply