Is DIY security worth the risk? Tony Lavinio offers a solution to save programmers from poorly documented open source software and non-existent test suites.
In the early days of networking, security was at best an afterthought. Passwords were to stop the casual nosy coworker, or to challenge a fellow student’s resourcefulness. It didn’t take long, however, before we realized that real data needed to be protected against those who would steal, reveal or destroy.
Bruce Schneier is an influential computer security expert who began to address this topic decades ago, and he’ll long be remembered for his definitive work on the subject, Applied Cryptography (ISBN: 978-1-119-09672-6). This book taught programmers like me the basics of encryption and protection. From it we learned guiding principles and explanations of security technology. Actual examples in code let us see how things were supposed to be used and how they could work together.
It’s not always “the bad guy” who is after the data anymore. Foreign government agencies, oppressed citizens, competitors—these all have reasons for wanting either to protect information or to bypass protection altogether. Some reasons are good, some not so much. Often one side’s traitor is the other side’s hero. This is made abundantly clear in Schneier’s recent book, Liars and Outliers (ISBN: 978-1-118-14330-8). Society works because most of us follow the rules most of the time. There are all sorts of contracts that enforce this, ranging from the written legal document to the informal agreements of daily civilized life.
Doing the right thing is a delicate balance, and as individuals we may wander back-and-forth across that line. When is a speed limit a good idea? When your child is learning to drive. When is the law inconvenient? When you’re running late for work. Several sections of the book deal with the delicate balance for individuals between following group norms (thus increasing our reputation) and maximizing self-interest by breaking the rules just ever so slightly (thus losing credibility and damaging future relationships).
The issues scale up and out from there. Someone may be offended by a company’s business practices. Is it ethical therefore to dox their employees or their customers?
While most users will never give any trouble, there are those individuals who live at both ends of the bell curve. This book is an excellent and useful resource for understanding their behavior and their motivations. And large social organizations like governments and corporations have similar behavioral profiles. It’s useful to know where we sit, both in our company and in our culture.
So as a developer, you are charged with protecting your systems. Where do you begin? Just as the developer coding the user interface needs the help of interaction designers who themselves model users, in protecting your systems you too need to know what threats to expect. Fake orders? Denial-of-service? Hacking by competitors? Vandalism? Your own ISP inserting ads into your in-flight HTML?
And how will you know if it’s good enough?
There are some risks you can mitigate. Writing your own software from scratch is always an option, but for many jobs it’s just prohibitive. You can use well-tested libraries with source available, or purchase them from companies with good reputations.
I once heard that to a mathematician, the word “trivial” meant “I think this is easy to see and I don't want to waste my time in proving it.”
It’s similar with programmers, in that once we get something working, the thrill is gone and we want to go on to the next thing. This is one of the reasons there is so much excellent open-source software, but much of it has relatively poor documentation, or nearly nonexistent test suites.
At DataDirect Technologies we focus on database drivers. It’s true that for many of these you can find free alternatives. However, the costs of using them can include a lack of support, complete documentation or rigorous testing—not to mention that they won't have our world-class performance numbers. We continually look for the things that your particular definition of “bad guy” will want to exploit. We worry about having the right version of OpenSSL. We worry about buffer overflows. We worry about handshakes and encryption. We worry so you can worry about something else, like your business.
You can find free trials of all of our drivers on our website. For more information or further questions, contact us or leave a comment below.
Tony Lavino started in the 8-bit world with 6502 and Z-80 assembly. An experience with dBase II ignited Tony's passion for databases, and he soon found himself using Progress (now OpenEdge) 3.2J around 1987. He was so impressed, that he wanted to work for the company, and has since spent time either working for Progress or for its customers. Since 2002, Tony has worked on XML and EDI products, and now focuses on database drivers.
Copyright © 2018 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.