Slashdot Mirror
Corporate Cultural Issues Hold Back Secure Software Development (betanews.com)
An anonymous reader shares a report: As the digital economy expands and software becomes more critical, security worries grow. In a new survey, 74 percent of respondents agree that security threats due to software and code issues are a growing concern. The study of over 1,200 IT leaders, conducted by analysts Freeform Dynamics for software company CA Technologies, finds 58 percent of respondents cite existing culture and lack of skills as hurdles to being able to embed security within processes. In addition, only 24 percent strongly agree that their organization's culture and practices support collaboration across development, operations and security. On top of cultural limitations, less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success.
I think it's likely worse than that. The problem is that the "respondents" aren't necessarily people good at spotting where there are problems or what the nature of the problems are.
They "slow down" the fast release cycle of the current rage and utterly incompatible with the prima-donna attitudes of most programmers, all of whom believe their shit doesn't stink and every one else is an idiot. Security is hard, and done correctly adds yet another layer of complexity to an ever-increasing morass of code (it may be well organized, but it still looks like spaghetti to the new girl) that becomes yet another piece to keep in mind as you develop. Basically, it fucks with flow when you're writing security first and even then there's no guarantees that it actually provides security. And if you don't design with security in mind from the beginning, jesus christ it becomes difficult to rip everything out and redo it later.
Security issues can be patched later on. If you are beaten to market, in many cases you might as well send everyone home and close up shop. Launching ahead of the competition and establishing a beachhead is the single most important thing with any product and everything else is #2. I understand that many engineers don't understand this, but they are not paid or trained to think this way. That doesn't make it any less true.
In other news, Microsoft finds that adopting Windows will work best for your company, Monsanto funds a study to say their crops are the sure way to make money as a farmer, Ford funds a study that says they make the best cars and trucks, Coca-Cola funds a study that finds their products are the most liked, etc.
I don't disagree that security is a problem, I just have a fair bit of skepticism that a study funded by Computer Associates, takeover-and-neglect artists of the software world, is really going to get to the root issues that make integrating security into software development processes without a fair helping of "we can send an army of consultants to help you for a fee, in addition to licensing some software we acquired and will resell/license to you at a pretty large markup".
I have seen this myself. I had a DevOps job (which I leaped from, to a far better place) where the Scrum master (who had the power to recommend terminations, and managers rubberstamped them) where the dev team was always in a sprint. Every morning, there would be a 4-6 hour stand-up meeting where each dev would be interrogated about their code and where their build was. Each coder had to justify their existence, and why they fell short of the standing order of a huge amount of lines/day (around 10,000). This turned into hours of blamestorming and finger pointing because people had to find a something that was blocking them in order to save their jobs.
In that environment, people were far more interested in getting their code working than even thinking of security. The gamble they made was that if the company got sued due to bad security, it might filter to them eventually. However, not meeting the story or epic deliverables come stand-up time was a 100% guarantee that they would be pink-slipped.
Secure software development happens where it's regulated (SOX, HIPPA, etc.)
Why?
Because if the company doesn't, they pay a metric f***ton of cash for false claims of X compliance.
Without regulation, the buyer absorbs all the security risk.
In some cases, this is absolutely fine, and we should leave it alone.
In other cases, this is absolutely wrong, and the government should regulate it.
Which cases are which? That's the $64,000 question...
1) Corporate Cultural issues aka employee engagement - seriously if upper management is toxic and plays psychological games, who is going to give a shit about your software on any level let alone security?
2) Lack of software engineers with appropriate level of skill, education and experience. But you know it's because we can't find qualified candidates aka ones that are unicorns that will take minimum wage as compensation.
3) Companies that don't take security and risk seriously because hey why do we need to take this seriously now? We didn't take it seriously 20-30 years ago and now you're asking me to spend more money than I used to on "best practice"? You're just trying to trick me into giving away my precious money on things we really don't need like all those RAD tools I've been pitched over the years...
I could go on ad nauseum here but the TL;DR is: if you treat your employees like expendable pieces of shit that can supposedly be replaced by interns and contractors and tell them they should be thankful for it, your software is going to be shit on every level not just security.
We'll make great pets
"On top of cultural limitations, less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success."
time to market can be a make or break for profit. So how much liability are you willing to accept to make a profit ,if the alternative is bankruptcy , I'd say most managers would 'go for broke' and accept whatever risk is necessary to make a profit.
That is much the same reason we have the FDA, because large food companies , when left unregulated , have in the past, killed more then a few people in the name of greater profit.
There sooner or later will be more regulation on security critical software then there is now. That will slow down innovation, but prevent loss of life and property. A trade off that must be struck somewhere and will, weather good for everyone or not , be solved based on public perception.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Oh, you meant software development culture. What'll it be, pal? Agile? DevOps? Scrum? Shall we all gather round the kanban and discuss this over coffee? Pay no heed to the screaming you hear from accounting. The new people always have that reaction when we tell them we don't intend to make money.
less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success.
So the problem is that senior management may understand, and the answer is not one that security experts like. Financially speaking, it may make sense to be a little fast and loose with security, or at least faster and looser than hardline security guys want. Security problems represent a liability, and for some cases not much liability, some times it *could* ruin your company, depending on what sort of company you are, the data you have, and which part of the data could be hypothetically compromised by the subsystem at hand. These have to be weighed against the cost of prevention both in terms of staffing/consulting and opportunity cost when your paranoia causes you to not implement a scary feature that your competitor does, or to be a year later than a competitor.
Complicating things, there's a disconnect between paranoid security practices and where the largest breaches come from. The vast majority of breaches come from someone putting a crappy credential on something. This is overwhelmingly bad practice and overwhelmingly basic. The reaction to a breach in the industry is for security guys to use it to go to town, enforcing more and more draconian limitations using more and more inscrutable approaches to mitigate risk, even though the existing processes would have already defended them adequately if applied correctly. It's like never taking a shower because you keep reading about people drowning in the ocean. There's not the risk in your shower, but water-related death is a thing, so why take a chance.
Meanwhile, time to market and availability are both negatively impacted when security-focused guys rule. In their job description, there is *insane* risk associated with ever saying 'yes', and generally not much risk associated with saying 'no'. They also know damn well that for all their effort, they will *not* get the whole picture, whether the team being reviewed intends to or not, they will never catch all the poor security decisions, further driving them to be paranoid in hopes they mitigate everything the company does in the hopes of catching the mistake in general roadblocks.
The general corporate reality of 'external' security teams reviewing the efforts of 'non-security' teams leaves a lot of room for the worst of security policies inhibiting productivity and of insecure design getting through that the security team is going to be oblivious to. The answer is an embedded understanding of security principles in the day to day, but that truth is too inconvenient as that is quite an expensive proposition. They want to take unskilled folks and duct tape security on by having a small band of security 'experts' tick a checkbox in the process.
XML is like violence. If it doesn't solve the problem, use more.
Corporate Bottom Line Hold Back Secure Software Development
FTFY
Animal psychology issues hold back a lot more than that... culture is quite secondary. There is no mystery as to causation. The brain stem is still the master.
“He’s not deformed, he’s just drunk!”
It's a company culture issue? No kidding! I've dealt with this in one form or another since 1980. Management is ALWAYS focused on the easily quantifiable, whether it's when can you ship or micro-managed details like how many lines of code someone can produce per unit of time. Security is a black art to most management, and they see it as something you can only deal with after software ships and you have hard data on the number and severity of problems.
Security has zero chance of getting better until this changes.
Just tie the pay of the managers to security. If there are security issues then the managers start losing money. Problem solved!
Anons need not reply. Questions end with a question mark.
Meanwhile some people contemplate about security on software development field, others see this as futile and meaningless,because of lousy processor design.
... that's still the biggest, easiest to prevent issue.
There's no excuse for that kind of stupidity these days.
with things like diversity instead of finding the right people who can actually do a good job
Not prepared to pay enough to attract skilled people
Maybe locks themselves, hopefully safes and vaults, but virtually no other industry could afford to be as security focused as we're requiring of software here.
My car door is easily opened without the key. The wipers are easily removed. A jeep can be dismantled with an Allen key.
My front door has a deadbolt, with a big glass window next to it -- no bars.
My Telecom services are connected in a box on the front line. Right next to the water shutoff.
Virtually everything in our lives is completely insecure.
We encrypt and certify packets of data, but I eat food from a cart on the street, or carried past a dozen strangers in a restaurant.
I like my computer working well. But it doesn't *matter* compared to the food I eat.
No one wants security, and not just in code.
I mean, in order for people to use safety gear that can save their lives, we need strict regulations and punishments. And I don't mean employers not caring about employees safety, I mean employees having everything they need at their disposal and not using it despite the signs.
Security is about spending time doing non-functional stuff and restraining yourself. People hate that. And even if it is provably useful, it goes against human instinct which is to prioritize short term goals.