One debate that remains incandescent in the security world is the question of how much developers should be held accountable for security. Dinis Cruz did a presentation at OWASP recently on why security should be invisible to developers.
His basic argument is that security is for security people and building things is for people who build things. He says that security people should stop rubbing developers’ noses in their problems and make security transparent so developers don’t need to think about it.
This is mostly a horrible idea.
The easiest way to see this is to take the concept of “building” to any other domain. Quite simply, anyone who “builds” something needs to be responsible for its security. Whether it’s a skyscraper or an automobile, the excuse of “You didn’t give me secure stuff to build with so I made a death trap.” isn’t a strong defense.
It’s true that there are different types of people who “build” buildings. There are those who design them and then there are those who put drywall in and nail up plywood. Perhaps the argument is that people who do basic construction shouldn’t have to know how to build a structurally sound skyscraper.
I could grant that, but it doesn't mean that all builders are unaccountable. Someone on the team creating that structure has to confirm to the earthquake codes, the fire codes, etc. There is a person who's reputation is on the line if they erect a structure that has safety issues.
So, if we’re saying hammer and nails construction people are like entry-level developers who don’t need to know the ins and outs of security, then I ask you who the architect is. Remember that you can’t just send a bunch of hammer and nail guys in to build a skyscraper — you need an architect to lay out an approved plan.
That architect has his license and reputation at risk, and that’s the piece that we’re missing in software. Saying that "developers" don't need to understand security is just wrong. Coders need to be identified as one of two types: hammer and nails types, or design/architecture types. If they’re hammer and nails guys then they shouldn’t be allowed to code without the supervision and review of who is able to put her name on the line.
The one thing that’s completely out of the question is the notion of separating "building" from "security" altogether. It’s not true anywhere else, and it shouldn’t be true for software. You cannot claim to be a "good" developer if you create things you don't understand -- especially when those elements that are nebulous to you have security/safety implications.
If the earthquake certification engineers ask an architect how his building will withstand a 7.0 earthquake on the 19th floor, his answer better not be, "Yeah, I just deal with the stacking of the floors on top of each other -- not so much the making sure they don't fall down."
Security is now part of the process, and it will only become more so as time goes on. If Dinis's only argument was to say we as an industry should make it *easier* for developers to be good at understanding the security of their applications, then I agree wholeheartedly. But he didn't make that argument. Instead he essentially said that they shouldn't be troubled with the issue at all because they're doing the privileged work of building. He wants a clear distinction there, and that's where the mistake was made.
Building something is inexorably tied to securing it. This is true whether we're talking about castles, baby strollers, automobiles, or software applications. Developers don’t get a pass. Building things is hard precisely because there are so many considerations. If a developer doesn't understand how to build securely there's only one proper name for him: a junior developer. ::