The popularity of a security consultant within a development oriented organisation is most certainly bi-polar. Occasionally, after thwarting a breach or reporting a bug directly to a developer rather than through JIRA (where it would expose their incompetence), we are gifted the opportunity of feeling a little more human and receive – for once – some warmth from our fellow compatriots. Most of the time, however, we’re that troll under the bridge pulling at peoples ankles, standing in their way and grunting orders at them as they try to cross. On the other hand, the reality is that the very nature of our jobs is to protect and help others, and to do so requires a solid understanding of all layers of the stack. So, for the most part we’re not grunting orders whilst having no clue as to what we’re talking about: we’re making well informed observations that warrant attention.
Many a dev shop I’ve stepped into can be likened to the Lord of the Flies, where the developers are so focused on design, functionality and UX that they lose touch with what really makes a product: engineering. Design may sell a product, but without solid engineering it will almost certainly see a short lifespan, significant downtime, no sales via word-of-mouth and/or reputational harm. What I’ve been trying to teach developers is that security not only has the function of protecting data and users, but it also promotes robust engineering. Making security a priority throughout the entire design and development process ultimately forms a more reliable product that will require less ongoing downtime to patch bugs – allowing developers to focus more on functionality and design during post go-live sprints. Think of it this way: if you cut corners when constructing the foundations and frame of a house, only to later discover that there is a critical issue with either, you’re going to have one hell of a time trying to address the issue without seriously impacting it’s occupants. So, the key to forcing a shift toward secure development practices is education: knowing vulnerabilities and their impact, coding securely, testing and how to efficiently integrate standards into projects. An effective tool to illustrate this and to get developers adopting more of a hacker mindset are HackMe applications. Previously I developed and released vuln_demo, however I’ve recently ended this project and created FooBl0g. Continue reading “lord of the flies”