SAN FRANCISCO–The vulnerability disclosure and patching arms race that has developed in the last decade or so in the security industry has made life extremely difficult not just for the developers writing code, but also for the folks who are interested in helping to fix broken applications. A new model and mindset is needed to help solve the problem.
One of the key advances and themes in security for the last few years has been the focus on educating developers and training them in the black art of writing secure code. That effort, advocated by Microsoft with its SDL and outside software security experts with other various methodologies, has paid dividends in terms of fewer exploitable bugs in modern applications and a newer generation of developers with a solid foundation in security.
However, training and education are not enough, said Brett Hardin, a former penetration tester and security consultant, in a talk at Security BSides here Tuesday. Security training for developers should just be one part of a larger effort to help address the widespread problem of application security.
“We think that by training developers to write secure code, that means that all of the code that comes out of them will be secure. No,” Hardin said. “We can’t expect them to protect against all future attacks that we don’t even know about yet. It explains why education is kind of broken in terms of the SDL.
“If you follow the SDL, my suggestion is, respect the developers, because they’re the ones who write the code. And as an organization, they care more about releasing a new product, and if it comes down to you or them, they’re going to win. Good developers are very hard to find.”
Hardin said that the current tension between the folks who build products and those who enjoy breaking them is indicative of the bigger issue: Few people are fixing the larger problems.
“Builders should focus on what they’re good at, which is building things, and breakers should focus on what they’re good at and shut up about fixing code and just submit them to us and let us fix them,” he said. “Fixers want to leave things better than they way we found them. Breaking stuff is sexy. If I bring an ATM up on stage and push some buttons and it operate as expected, you guys would be like, what the hell? It all depends on what you care about.”
Ultimately, everyone interested in using technology should care about those products working correctly and not breaking spontaneously and spectacularly. But the mindset difference between people who write code and build products and those who look for ways to make them fail is a stark one, Hardin said.
“Breakers do not understand how to fix stuff, it’s not what they do. Anytime someone says, man, developers are really stupid, you know they’re oversimplifying the problem,” he said. “Fixing code is difficult, it’s not easy. If you’ve ever refactored code, you know this. The point is, you’re alone out there and no one is going to help you. I don’t think technology is really going to solve the problem, and processes help, but they’re not enough either. We need to realize we’re alone right now and bring more people on board to our way of thinking. Stop looking for the silver bullet and realize it’s your people.”