Caleb Sima (@csima) dropped this nugget:
Just got accepted to speak at RSA on not teaching developers about securityThis was retweeted by Jeremiah Grossman (jeremiahg):
RT @csima: Got accepted to speak at RSA on not teaching developers about security < I'd agree in theory, implementation is the hard parJeff Williams (@planetlevel) hit back:
@jeremiahg @csima Not teaching developers security is dangerous nonsense. Automatic securification can never exist.I see the application security model similar to this:
- Dev: Wow, new whizbang tech that lets me do a, b, and c!
- Infosec Guy: Wow, Dev is using new whizbang tech that allows me to violate x, y and z!
- Infosec Guy to Dev: Stop using whizbang tech!
- Dev to Infosec Guy: Stop stopping me from being {productive, cool, whatever}!
- Infosec Guy to Dev: OK, at least implement these onerous and difficult security controls!
- Dev to Infosec Guy: Wow, these controls suck and I never get them right...
- Infosec Guy: Wow, the Dev people and dumb because they can't implement these onerous controls...
- [Time passes]
- Infosec Guy to Dev: Hey! Someone created a framework that magically implements the security controls that you can't seem to grasp!
- Dev to Infosec: Awesome! Now I need to learn this new framework, backport it into all 1000 enterprise apps, deal with the framework changing every week, being backwards-incompatible, and still have gaps because it doesn't work with m, n, and o frameworks!
- [Time passes]
- Infosec Guy: Wow, new whizbang tech that lets me do a, b, and c!
- ...
Eventually, frameworks (e.g. Hibernate, Spring) do pop up that implement some security control that is somewhat transparent to a developer. I'm a big fan of this approach and think that information security should act more as editors, with developers acting as authors; let them write code!
So, what do we do in-between that time, when no frameworks exist and when developers and infosec are on different pages?
0 comments:
Post a Comment