Sunday, March 04, 2007

Assurance and Auditing

When is a monoculture good? When its a web application security framework you use in all of your apps, it has been well audited, and you're reasonably sure its working.

Why is this a good thing? Because its easy to verify, to audit, etc. Its also relatively easy to fix if something goes wrong.

I had an interesting discussion with another web security person the other day. He said that he isn't an expert developer, but he knows how to audit web apps, how to incorporate security into the SDLC, and how to monitor for compliance / proper-usage.

It was like I was talking to myself in a mirror.

I know that Jeremiah Grossman wrote about the severe lack of web security auditors out there, and I certainly agree. At the same time, I think we could make an amazing amount of progress if we stopped letting everyone shave with a straight razor and instead trained and/or forced them to use the safety razor.

Me - I learned how to shave using a standard 2-blade Gillette. I didn't learn with a straight razor, and neither should most programmers. Learn to program in Python, Ruby, hell, Java if you must. Or, learn assembly first just for the kicks. But let's stop kidding ourselves that everyone needs to know how to use a straight razor (read - C, C++).

It'd be like requiring all carpenters to learn how to use an adze. Maybe sometime when they have some spare time they can go back and have at it, but perhaps we should stick to the safe and practical. Oh, I know what you're saying... I don't need that kickback guard on my chainsaw or the blade guard on my table saw, and maybe you don't. But the statistics tell me I'd rather most people had them, if I'm in charge of the medical bills :)

Oh, and on the secure-by-default topic, check these guys out:

Pretty slick advancement if you hadn't seen it before. Reminds me again and again of how we ought to design tools (programming languages, frameworks, etc) in the computer world for safety of use rather than just ease of use.

According to some articles I've seen they haven't had a lot of adoption by the consumer market because of costs, but that cabinet makers, furniture makers, etc. have been pretty enthusiastic. They are the ones with the insurance bills, worker's comp bills, etc. At $1000 extra per saw and a single finger loss running 10-20 times that in workers comp, etc. its a pretty easy decision to make. Now, if we didn't have insurance, workers comp, and so on, the the finger loss (or hacked system in our case) wouldn't be the cabinet maker's concern and the money wouldn't get spent.

Just something to mull on.

No comments: