20091119

A Non-Technical Rant

First, if you're looking for a post that is exemplary in its technical merit, this isn't it.

Second, my apologies for the long silence. I've been working on exciting stuff, but that's no excuse for posting nothing for this long of a period.

Now for our regularly-scheduled complaint...

I received some news today that was very disturbing. The thing in the news that bothered me was not that the person who sent the news disagreed with me - I'm not bothered by that. I tend to embrace being a bit different.

But what bothered me was a statement in the end of the message. The end of the message said that the team I was working with needed to spend more time researching ways to make defensive coding completely invisible to developers. The people who made this statement were way smarter than me, so I must be completely in the dark here.

Defensive coding should be automatic, yes. Invisible? Never. Similarly to shielding your children from every bacteria and virus that might come their way, only to find they spend the remainder of their life sick, these people think that the way to have more defensive code is to make it totally invisible to developers. Developers should be trained less on defensive programming so that when new attack vectors come out, the only people who can rescue them are security professionals. (Security professionals - what's our track record so far when we do things our way?)

So the gist of the statement was this - developers are too stupid to write defensive code. Functional code is no problem, but defensive code is serious business that we need to leave to the security professionals.

You trust developers to handle your income tax returns, but don't trust them to use prepared statements on purpose?

You trust developers to navigate the space shuttle, but doing some proper input validation is too complex for them?

You trust developers with sensitive health care information, but think that they're too dull to properly obfuscate it when logging?

See, this is exactly what the problem is right now. We security people think that everybody else is too stupid to get it, and that we have to rescue them. We can't possibly hold people accountable for gaining new knowledge? Look - the security vulnerabilities we find today aren't new. People had to program defensively long before there was a security industry. But now that there's a security industry, the best thing we can do is make writing good code transparent? Pshaw! If the coders aren't doing things right, raise your standards. If you are or know a programmer, you know the way to motivate them - tell them it can't be done. That will show you who the real programmers are. (But I'm still convinced that a decent blacklist simply cannot be written.)

A previous group I worked with used a set of tools I had written as a benchmark for hiring people. This isn't to say that what I wrote was rocket science - it just took some time, reading, and mostly tinkering. Nobody we hired was able to crack the nut in a reasonable amount of time - but we weren't looking for the people who could figure it out in an hour - the people we hired were the ones who tried - who weren't scared of a challenge - who were convinced it could be done, and who were determined to find a way to do it.

There do exist people with that mindset. The real programmers are those people. And they're not so stupid that you have to make everything invisible to them. They're smart enough that once you make the need clear to them, they will do the right thing automatically - because it's the right thing. They're the ones who will program defensively when there aren't automated tools around making their code defensive without them knowing it.

EORant.

date: 11/19/2009 02:20:00 AM

0 comments:

Post a Comment