A developer’s perspective on security teams coming in at the last minute to impose requirements on the development team

First things first, I am by training, occupation, and birthright a DEVELOPER (yeah, I just screamed that and yeah I said “birthright”)! I was born this way, and if I didn’t love this stuff, there is no way I’d be capable of doing my job. This job isn’t for everyone.

if I didn’t love this stuff, there is no way I’d be capable of doing my job

Despite all the glitz, glamour, and riches you’ve been led to believe go along with that, I can tell you that development is not exactly easy to do. I’m still waiting for the paparazzi to follow me around because I turned an O(n2) algorithm into O(log(n)) and improved performance by 200%. 

In general, it’s thankless work. When I do my job well, people don’t know about it. When I don’t… boy, oh boy do folks have some things to say about that and just like Peter Griffin, “that really grinds my gears!”  I don’t remember where I first heard this saying, but I recite it to myself anytime I start to question what I do for a living.  “God may have built the world, but engineers build the world that was meant to be.” Some might call this statement blasphemy; I call it my raison d’etre.  

I’ve got over 15 years of experience and consider myself a hardened (or jaded) software engineer. I’ve heard at least 100,000 ideas about great mysterious things that people think computers should do. I’ve had numerous friends solicit me to, you know, just put together a quick web application that does blah…blah…blah… and then we’ll all be rich! To which I respond, “What are you going to do?” That usually ends the conversation and we go back to being friends. I’m frequently sought after by neighbors, friends, and relatives (sorry Mom) to “fix” their computer when something goes wrong when they’ve opened an attachment from someone they don’t know. C’mon, aren’t we past that yet? That’s not even what I do. I mean, I’m just going to download a free malware removal tool and try to get the heck out of there as quickly as I can. Gee-whiz, I’ve got a wife, kids, a house, and stuff to do… like, I don’t know, that thankless job or something.

Bring me solutions, bring me tools, and bring me something that makes securing my code easy.

At this point in my career, I am fortunate enough to be leading my own (spectacular) team of engineers and it’s my job to make sure they are set up for success. That’s where the trouble starts. If you’ve ever sat through a requirements gathering session, attempted to decipher “market speak” from customers, or been subjected to someone who considers themselves “technical” (even though they’ve never authored a line of production code in their life) you know what I’m getting at. 

I don’t claim that any of these actions are malicious, it’s just that turning human thoughts into a robust, scalable, functional, secure web application isn’t as simple as writing some code. As developers, we’ve got to sift through someone else’s jumbled thoughts and tell an unforgiving, unambiguous, “dumb” machine what they are talking about. Not only that, but we need to have it done yesterday and oh yeah, with ½ the team that’s needed. Sounds good, right? So, if you show up at my door 2 days before I’m about to release something my team has been iterating on and pouring their souls into for the last 6 months with news that I can’t ship my stuff because you haven’t “scanned” it, expect to get an earful and expect my language to be something you wouldn’t want to repeat in church.

Here’s are five things that I need from you, the “Security” team

1: I need you in the budgeting discussion.

2: I need you hanging around the product management team and helping me tell them Rome wasn’t built in a day.

3: I need you to share the responsibility that I feel to ensure our product does what it needs to and shows up on time.

4: I need you to be a partner, not an adversary (I’ve collected enough of those in these 15+ years).

5: I need you to share your problem with me and have a recommendation on what to do about it. 

Look, sometimes my team (yes, the spectacular one) gets things wrong. We all code up bugs, we’re not proud of it, and sometimes we do things that aren’t secure. Sorry. We need help; your help. Bring me solutions, bring me tools, and bring me something that makes securing my code easy. I’ve got a lot to think about, I’ve got lots of education and influence I have to do, and I need to get through that stuff fast. Be part of the solution and help me solve the problems you see. That way, I won’t be yelling at you, challenging your competence, and threatening to devour your soul. I don’t think you want that, and quite frankly neither do I.

About Jeff Cratty

As Veracode's Director of Engineering Jeff is an experienced software guy pursuing simple solutions to complex problems. He builds Agile development teams that support each other to deliver value to the business with high velocity and high quality. His passions are mission impossible projects, hard engineering problems, and team empowerment.

Comments (3)

Mark Hausammann | February 3, 2016 1:23 pm

I suppose it is just as complicated on the other side. Those that seek secure code and production implementations in many cases are not as clear on the underlying technology and the coding language you use everyday. Many times, the basic flow and fit of the new or enhanced code is not known even by the technology folks. A few suggestions I'd pass along is to have a specification document including the flows (visio), upstream and downstream applications, input and output files and the networking that will be used. Also, who(anybody and everybody) developed the code? Did you use plug ins or opensource? Lastly, if the application is internet facing, provide a diagram with the Id numbers of all related HW and software (AV, Malware protection) Do you have Logical access set up based on a need to know? Can the access levels be explained in the King's English? Do you have logging for errors, performance and suspicious activity? All this stuff is needed but most developers don't provide it and it just turns into a CF usually just before go live. You have a team. It is very likely the person evaluating your work will be a one man band. Let the good times roll :) Thanks for listening. Also, I like your writing style. It has a little gloves off punch to it.

Jeff Cratty | February 4, 2016 1:18 pm

Hey Mark, thanks for your feedback. I hope the folks that read this can all agree that securing our applications is a collaborative activity. As a great leader once mentioned to me, "This is team-ball, gotta do it together."

Ted Marynicz | February 6, 2016 9:27 am

Your first problem is the fact that you have a "Security Team". You shouldn't have one - all that security knowledge should be in every developer's head and built in to the code from day one.

Practice 'secure design', model threats and check out tools for automated code review.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.