The first problem any security project has is to get executive support. The second problem is to find a way to make use of and direct that executive support.
Developers should be prepared to defend against a Manager in the Middle attack.
— Alun Jones (@ftp_alun) November 9, 2015
So, that was the original tweet that seems to have been a little popular (not fantastically popular, but then I only have a handful of followers).
Iâ€™m sure a lot of people thought it was just an amusing pun, but itâ€™s actually a realisation on my part that thereâ€™s a real thing that needs naming here.
By and large, the companies Iâ€™ve worked for and/or with in the last few years have experienced a glacial but certain shift in perspective.
Where once the security team seemed to be perceived as a necessary nuisance to the executive layers, it seems clear now that there have been sufficient occurrences of bad news (and CEOs being forced to resign) that executives come TO the security team for reassurance that they wonâ€™t become the next â€¦ well, the next whatever the last big incident was.
Obviously, those executives still have purse strings to manage, and most security professionals like to get paid, because thatâ€™s largely what distinguishes them from security amateurs. So security canâ€™t get ALL the dollars, but itâ€™s generally easier to get the money and the firepower for security than it ever was in the past.
So executives support security. Some of them even ask what more they can do â€“ and they seem sincere.
Well, some of them do, but thatâ€™s a topic for another post.
There are sufficient numbers of developers who care about quality and security these days, that thereâ€™s less of a need to be pushing the security message to developers quite how we used to.
Weâ€™ve mostly reached those developers who are already on our side.
And those developers can mentor other developers who arenâ€™t so keen on security.
The security-motivated developers want to learn more from us, theyâ€™re aware that security is an issue, and for the most part, theyâ€™re capable of finding and even distinguishing good security solutions to use.
If the guys at the top, and the guys at the bottom (sorry devs, but the way the org structure goes, you donâ€™t manage anyone, so ipso facto you are at the bottom, along with the cleaners, the lawyers, and the guy who makes sure the building doesnâ€™t get stolen in the middle of the night) care about security, why are we still seeing sites get attacked successfully? Why are apps still being successfully exploited?
Why is it that I can exploit a web site with SQL injection, an attack that has been around for as long as many of the developers at your company have been aware of computers?
Someone is getting in the way.
Ask anyone in your organisation if they think security is important, and youâ€™ll get varying answers, most of which are acknowledging that without security in the software being developed, so itâ€™s clear that you canâ€™t actually poll people that way for the right answer.
Often itâ€™s the security team â€“ because itâ€™s really hard to fill out a security team, and to stretch out around the organisation.
But thatâ€™s not the whole answer.
Ask the security-conscious developers whatâ€™s preventing them from becoming a security expert to their team, and theyâ€™ll make it clear â€“ theyâ€™re rewarded and/or punished at their annual review times by the code they produce that delivers features.
And because managers are driving behaviour through performance reviews, it actually doesnâ€™t matter what the manager tells their underlings, even if they give their devs a weekly spiel about how important security is. Even if you have an executive show up at their meetings and tell them security is â€śJob #1â€ť. Even if he means it.
Those developers will return to their desks, and theyâ€™ll look at the goals against which theyâ€™ll be reviewed come performance review time.
If managers donâ€™t specifically reward good security behaviour, most developers will not produce secure code.
This is the Manager in the Middle Attack. Note that it applies in the event that no manager is present (thanks, Dan Kaminsky!)
â€” Dan Kaminsky(@dakami) November 10, 2015
Because I never like to point out a problem without proposing a solution:
Managers have to actively manage their developers into changing their behaviours. Some performance goals will help, along with the support (financial and moral) to make them achievable.
Here are a few sample goals:
Thatâ€™s quite a bunch of security-related goals for developers, which managers can implement. All of them can be measured, and Iâ€™m not so crass as to suggest that I know which numbers will be appropriate to your appetite for risk, or the size of hole out of which you have to dig yourself.