A Response to Dinis Cruz’ Comments on Invisible Security


Dinis Cruz did a presentation at OWASP recently on why security should be invisible to developers.

His basic idea is that security is for security people and building things is for people who build things. He says that security people should stop rubbing developers’ noses in their problems and make security transparent so developers don’t need to think about it.

This is mostly a horrible idea.

The easiest way to see this is to take the concept of “building” to any other domain. Quite simply, anyone who “builds” something needs to be responsible for its security. Whether it’s a skyscraper or an automobile, the excuse of “You didn’t give me secure stuff to build with so I made a death trap.” isn’t a strong defense.

It’s true that there are different types of people who “build” buildings. There are those who design them and then there are those who put drywall in and nail up plywood. And perhaps the argument is that people who do basic construction shouldn’t have to know how to build a structurally sound skyscraper.

Perhaps, but someone who is responsible for building that structure is accountable for its design — including security. And that someone is most definitely a builder.

So if we’re saying regular construction people are like regular developers who don’t need to know the ins and outs of security, then I ask you who the architect is. Remember that you can’t just send a bunch of hammer and nail guys in to build a skyscraper — you need an architect to lay out an approved plan.

That architect, is held accountable for the design, and that’s the piece that we’re missing in software. It’s not right to say that developers shouldn’t have to know security; that’s false. They need to be identified as one of two types: hammer and nails guys or design guys. If they’re hammer and nails guys then they shouldn’t be allowed to code without supervision of someone with security skills. And if they’re design guys then they should be able to code securely without supervision.

But the one thing that’s completely out of the question is the notion of nobody doing the building (of whatever) having any clue about security. It’s not true anywhere else, and it shouldn’t be true for software either. Security is part of quality. If you build an insecure program you’ve built a crappy program. Good builders don’t build crappy programs.

Security is now part of the process, and it will only become more so as time goes on. If you’re asking for it to be easier for developers to be good at understanding the security of their applications, then I agree. But if you’re saying make it easy so that they don’t have to understand it…definitely not.

Developers don’t get a pass on security. It’s just like building anything else that is used by others and has any sort of security/safety implications. The responsibility resides with the creator of the object, not with those who come by to audit him. ::

Related posts: