A developer’s perspective on security teams coming in at the last minute to impose requirements on the development team
First things first, I am by training, occupation, and birthright a DEVELOPER (yeah, I just screamed that and yeah I said “birthright”)! I was born this way, and if I didn’t love this stuff, there is no way I’d be capable of doing my job. This job isn’t for everyone.
if I didn’t love this stuff, there is no way I’d be capable of doing my job
Despite all the glitz, glamour, and riches you’ve been led to believe go along with that, I can tell you that development is not exactly easy to do. I’m still waiting for the paparazzi to follow me around because I turned an O(n2) algorithm into O(log(n)) and improved performance by 200%.
In general, it’s thankless work. When I do my job well, people don’t know about it. When I don’t… boy, oh boy do folks have some things to say about that and just like Peter Griffin, “that really grinds my gears!” I don’t remember where I first heard this saying, but I recite it to myself anytime I start to question what I do for a living.
I’ve got over 15 years of experience and consider myself a hardened (or jaded) software engineer. I’ve heard at least 100,000 ideas about great mysterious things that people think computers should do. I’ve had numerous friends solicit me to, you know, just put together a quick web application that does blah…blah…blah… and then we’ll all be rich! To which I respond, “What are you going to do?” That usually ends the conversation and we go back to being friends. I’m frequently sought after by neighbors, friends, and relatives (sorry Mom) to “fix” their computer when something goes wrong when they’ve opened an attachment from someone they don’t know. C’mon, aren’t we past that yet? That’s not even what I do. I mean, I’m just going to download a free malware removal tool and try to get the heck out of there as quickly as I can. Gee-whiz, I’ve got a wife, kids, a house, and stuff to do… like, I don’t know, that thankless job or something.
Bring me solutions, bring me tools, and bring me something that makes securing my code easy.
At this point in my career, I am fortunate enough to be leading my own (spectacular) team of engineers and it’s my job to make sure they are set up for success. That’s where the trouble starts. If you’ve ever sat through a requirements gathering session, attempted to decipher “market speak” from customers, or been subjected to someone who considers themselves “technical” (even though they’ve never authored a line of production code in their life) you know what I’m getting at.
I don’t claim that any of these actions are malicious, it’s just that turning human thoughts into a robust, scalable, functional, secure web application isn’t as simple as writing some code. As developers, we’ve got to sift through someone else’s jumbled thoughts and tell an unforgiving, unambiguous, “dumb” machine what they are talking about. Not only that, but we need to have it done yesterday and oh yeah, with ½ the team that’s needed. Sounds good, right? So, if you show up at my door 2 days before I’m about to release something my team has been iterating on and pouring their souls into for the last 6 months with news that I can’t ship my stuff because you haven’t “scanned” it, expect to get an earful and expect my language to be something you wouldn’t want to repeat in church.
Here’s are five things that I need from you, the “Security” team
1: I need you in the budgeting discussion.
2: I need you hanging around the product management team and helping me tell them Rome wasn’t built in a day.
3: I need you to share the responsibility that I feel to ensure our product does what it needs to and shows up on time.
4: I need you to be a partner, not an adversary (I’ve collected enough of those in these 15+ years).
5: I need you to share your problem with me and have a recommendation on what to do about it.
Look, sometimes my team (yes, the spectacular one) gets things wrong. We all code up bugs, we’re not proud of it, and sometimes we do things that aren’t secure. Sorry. We need help; your help. Bring me solutions, bring me tools, and bring me something that makes securing my code easy. I’ve got a lot to think about, I’ve got lots of education and influence I have to do, and I need to get through that stuff fast. Be part of the solution and help me solve the problems you see. That way, I won’t be yelling at you, challenging your competence, and threatening to devour your soul. I don’t think you want that, and quite frankly neither do I.