It’s Time to Move Away From the Build or Break Mentality

SAN FRANCISCO–The vulnerability disclosure and patching arms race that has developed in the last decade or so in the security industry has made life extremely difficult not just for the developers writing code, but also for the folks who are interested in helping to fix broken applications. A new model and mindset is needed to help solve the problem.

SAN FRANCISCO–The vulnerability disclosure and patching arms race that has developed in the last decade or so in the security industry has made life extremely difficult not just for the developers writing code, but also for the folks who are interested in helping to fix broken applications. A new model and mindset is needed to help solve the problem.

One of the key advances and themes in security for the last few years has been the focus on educating developers and training them in the black art of writing secure code. That effort, advocated by Microsoft with its SDL and outside software security experts with other various methodologies, has paid dividends in terms of fewer exploitable bugs in modern applications and a newer generation of developers with a solid foundation in security.

However, training and education are not enough, said Brett Hardin, a former penetration tester and security consultant, in a talk at Security BSides here Tuesday. Security training for developers should just be one part of a larger effort to help address the widespread problem of application security.

“We think that by training developers to write secure code, that means that all of the code that comes out of them will be secure. No,” Hardin said. “We can’t expect them to protect against all future attacks that we don’t even know about yet. It explains why education is kind of broken in terms of the SDL.

“If you follow the SDL, my suggestion is, respect the developers, because they’re the ones who write the code. And as an organization, they care more about releasing a new product, and if it comes down to you or them, they’re going to win. Good developers are very hard to find.”

Hardin said that the current tension between the folks who build products and those who enjoy breaking them is indicative of the bigger issue: Few people are fixing the larger problems.

“Builders should focus on what they’re good at, which is building things, and breakers should focus on what they’re good at and shut up about fixing code and just submit them to us and let us fix them,” he said. “Fixers want to leave things better than they way we found them. Breaking stuff is sexy. If I bring an ATM up on stage and push some buttons and it operate as expected, you guys would be like, what the hell? It all depends on what you care about.”

Ultimately, everyone interested in using technology should care about those products working correctly and not breaking spontaneously and spectacularly. But the mindset difference between people who write code and build products and those who look for ways to make them fail is a stark one, Hardin said.

“Breakers do not understand how to fix stuff, it’s not what they do. Anytime someone says, man, developers are really stupid, you know they’re oversimplifying the problem,” he said. “Fixing code is difficult, it’s not easy. If you’ve ever refactored code, you know this. The point is, you’re alone out there and no one is going to help you. I don’t think technology is really going to solve the problem, and processes help, but they’re not enough either. We need to realize we’re alone right now and bring more people on board to our way of thinking. Stop looking for the silver bullet and realize it’s your people.”

Suggested articles

New Initiative Simply Secure Aims to Make Security Tools Easier to Use

The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use […]

Discussion

  • Anonymous on

    Your problem is that you thing developers like to fix bugs.   Developers, in today's business climate, only want another project listed on their resumes, they don't want to be tied to the repair process because that will mean they can't continue to add new 'accomplishments'.

    They're also, increasingly incompetent (as a whole).  To demonstrate this, lock 100 developers in rooms by themselves with a compiler and ask them to write an application.   99 of them can't code anything that's been included in a standard library in the last 20 years, and 50+ of them will ask 'how can i access google/bing/etc'.

    Standardization is one thing, and ability is something else.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.