mostly useless crap from me

I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically:

• They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions
• They do not implement any form of strong identity handling, so when someone is logged into component A, it’s nearly impossible at component D to determine who is doing a particular action (see accountability below)
• They do not make it easy to implement end-to-end access control (fine, medium, and course grained), so most of the time, authZ is equivalent to “do what the hell you want to do”, allowing the golden apples to fall very easily
• Often they do client-side stupid tricks and can be trivially tickled into doing something really dumb
• Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day
• Data validation misses the business rules allowing tweaking of the golden apples, particularly on the way out. That old mainframe or ancient database is no more trustworthy than a slightly dodgy user
• Modern business scenarios (business / trading partners, extranets, etc) are very poorly done
• Encryption, if it is done at all, is of the crypto toy variety or the folks leave the keys in the door. But 95%+ of the time, it’s not even there, and yet here is all the value of the business, just lying there waiting to rustled under the covers

A counterpoint to this is forum software. Admittedly, I help write forum software in my copious spare time (read: none at all), but considering that in most cases, the value of the asset being protected is precisely zero dollars, it’s amazing just how many security controls are relevant (and useful). They do what they do well, and yet they have to implement – through repeated and automated attacks – pretty much all of the OWASP Guide’s suggestions.

I honestly wonder why folks think that “enterprise” software is somehow magically safe or scalable.

What is it with “sporty” coupes and their drivers? We were nearly killed coming home from the hospital by 8CR J60, a Black Infinity of some description. There’s a complete fucktard behind the wheel, who will hopefully get a nice moving violation from the police tomorrow.  I hope with all my heart that this is the last few points on his license so they are off the road for a few months. Honestly, why drive if you’re going out there to kill yourself and others?  

Well, I was watching this new show called “The Big Bang Theory” last night (on Tivo-To-Go at the hospital, but that’s for another blog entry another time). It’s written by Chuck Lorre who has done a lot of great comedy, including Two and a Half Men. I quite liked it, as what’s not to love?

• Cosmologically-correct lyrics in the opening titles – sure to annoy literal evangelicals YAY!
• String theory jokes, using the actual differences between the various string theory camps as the punchline
• Actual WoW game as a come-on … as in, let’s play WoW together … in different rooms … so I can get in your pants … somehow

I never thought I’d hear jokes like this ever on prime time TV sitcoms – let alone from the country that watches Britney Spears’ every move as if it’s actually important (hint: it’s not important).What I didn’t like. The stereotypes are really old. The guy with the 60’s hair – never met him. The two guys who play Klingon Boggle. I’ve been geeky since whenever and I’ve never seen this, but maybe I’m not l33t enough in the Trekkie circles. One dimensional geeks. Sure there’s some folks who are Aspergers or borderline so, but most geeks are into a very wide variety of things, and not just intellectual pursuits and Babylon Five. I give it thirteen episodes before it’s canned. This show is far too cerebral and cliquey for the show biz types to go “I haven’t understood a single joke”. It’ll be a shame, as it’s the first US sitcom I’ve ever seen that doesn’t talk down to its audience. For that, you need to see Beauty and the Geek. I’m scared, very scared when I watch that show.  

One of the really cool things my job allows me to do is go teach developers and managers about application security.

In the past, I’ve half jokingly said “when the revolution comes, X will be first against the wall”, where X is a product or company who has no clue about security and worse, they pissed me off. Well, I felt the wall and the hood with these students – they wanted to revolt!

My crime? For daring to suggest that they do not belong in production.

READ MY LIPS! DEVELOPERS DO NOT BELONG IN PRODUCTION! END OF RANT

We have to end the developer cult where they believe they are a black magi sending code from on high. Those days never really existed. It was only because any old oxygen bandit* could get paid (and paid well) to write crap. Guess what? Crap may be the state of the art of today, but you’ll have to do better, and soon. 

Real engineers are fallible, but they know this and design around it. Coders seem to think they are magically immune from engineering problems, and do not code in any defense in depth. One of the key ingredients for software security is production management. And part of that is that developers do not have logins for production systems. They do not have access to promote code by themselves. They do not need special features just because they are developers. 

Developers need to learn basic production hygiene. I help teach it, but they have to accept it and live the life. If you are a developer, and you have access to development, it’s time to lose those credentials. If your code has backdoors that let you do more than anyone else, that’s a sackable offense at many financial institutions and government shops.

Let’s start being engineers instead of cowboys. 

* Oxygen bandit. adj. Someone who breathes air they don’t deserve, is able to dress themselves in less than 30 minutes, and who is able to drag a few controls onto code someone else developed. For more details, see one of my favorite sites.