I’m having something of a dilemma today. An important part of my job is keeping current with security issues so that we can provide appropriate guidance for dealing with those risks in the SDL. A great way to keep current with security issues is to hang out at hacker cons. Now on one hand, I really love hacker cons. I always find sessions that are relevant, I always meet interesting new people and catch up with old friends, the liquor flows freely at the after-parties…there are lots of great reasons. And it’s fun to speak at these shows too. But I have to honestly ask myself, how much good am I doing? If I stand in front of a group of netadmins and pentesters and describe a new method of hacking Ajax apps, what have I really accomplished? I suppose that a few of those people might use my ideas to find vulnerabilities in the field, which is good. But security shouldn’t start with the pentester – after all, you can’t test security into a product. Security should start with the developer, and then continue on with the tester, the pentester, the netadmin, and everyone else in the product lifecycle.
Instead of teaching pentesters how to find vulnerabilities, I’d rather be teaching developers how to write their code correctly in the first place so that the pentesters don’t have any vulnerabilities to find. But, as a general rule, developers don’t really attend hacker cons. They attend developer cons. There are of course exceptions to this rule, but ask yourself honestly: How many people do you suppose really go to DEFCON to learn how to write secure code versus those who go to learn how to break things? Now, I love developer cons too. I always find sessions that are relevant, I always meet interesting new people and catch up with old friends, and while the liquor may not flow quite as freely I still always manage to have a great time. But here’s the dilemma: developers don’t go to developer cons to hear about security. They go to hear about sexy new OS or language or compiler features. There’s nothing sexy about developer security. Nobody wakes up on Monday morning and says, “Wow! I get to go work on developer security issues today! Awesome!” OK, I have to admit that I actually do this – really – but I’m probably an atypical example. For most people, following the SDL is a lot like flossing their teeth. They know they’ll regret it later if they skip it, but that doesn’t make it any more fun right now.
So what can we do to make security a little more fun? What’s the adult equivalent of a Hello Kitty or Power Rangers toothbrush? For better or worse, I haven’t been able to think of one. But maybe we can take a different approach to the problem. What if, instead of trying to make the SDL fun, we tried to make it as painless and unobtrusive as possible? To put it another way: What if, instead of having to floss your teeth yourself, little gnomes came in and flossed your teeth for you while you slept? (OK, that’s a little creepy, but you get the point.) Think about the /GS compiler option in Visual C++, or the ValidateRequest page directive in ASP.NET. These security features provide excellent defenses against stack overruns and cross-site scripting attacks (respectively), and the best part is that developers get them essentially for free. If we can automate enough SDL requirements this way, developers could spend more time implementing new features and less time worrying about security. And that would be truly sexy.