Security and developpers

I have always wondered, why is security so hard for developpers?

I'm a system engineer and i've worked in some highly secured environments for banks.  I've seen my share of badly secured software, not to mention badly written software in general.  Sometimes, the problems are in the design. Then the problem is not in the code, so whatever the developpers did after the design was made is irrelevant.  Sometimes it's just lazyness of the developper.  Why going though the trouble of finding a secure way to handle passwords if you can use them in plain text.  But sometimes, the problem is introduced right at the end, while writing the installation manual.  The last one is just sad!

Recently I was asked to install an application that gathers all configuration information from every server, database, ... and sends it to a centralized server.  That server would use the information gathered to do consistency checks.  Great product and it would save us a lot of problems in the long run.  The communication between agents and master will be encrypted using SSL.  Great, right?

The installation procedure stated that the private key of the server had to be copied on every agent (about 1000 servers).  I don't understand this way of thinking. Why is it called "private" if you copy it to every server? In this case, if 1 agent gets compromised, that agent can impersonate itself as the master and gather the info from all the serverpark, being a big security risk.

Ok, I do understand that you decide not to create 1000 private keys...  But maybe you can make 2? 1 for the master and 1 for every agent.  This way, if 1 agent gets compromised, only bogus info can be sent to the master, no info can be stolen...  Off course, we deviated from the installation manual to fix this issue...

Why is it so hard to ask an experienced system/security engineer to review the software before distributing it to customers?

Automatisation is the future

After 15 years working in IT as a system engineer, I've seen the evolution from the good old days to off-shoring and near-shoring.

Cost ...

it is the most important word in the IT business.  That is what we are for a business and the goal is to reduce the cost...  In the good old days, money was no issue.  I worked for a bank where an investment of 2 million euros was made solely based on the discount that the supplier was giving...  Did we really need hardware of 2 million euros?  Not in the least, the biggest part of the hardware was just collecting dust in the years to come...
During that time, the cost that is called: 1 FTE was no issue.  The only problem companies had was finding the right people, and once found, the numbers were not important...

One day, the idea grew that there were people everywhere in the world and that there are computers everywhere in the world, so statistically speaking, there are some people everywhere who can use a computer...  From that idea, off-shoring was born.  There were some problems like the language.  Try to understand some Indian guy in the middle of the night spelling some flemish URL ... hell!
Some other problems were "understanding the customer".  Some HP guy once told me that he got a call on a Saturday morning from India telling him that the website from Mr Ing was down...  ING is one of the biggest international banks in Belgium.  They thought some tennisclub website was down or something.  In reality, the whole ING bank was down!
Another important problem is knowledge.  I can understand that Indian guys are also very smart in computer stuff, but not all of them...  Companies think they can just pick someone from the streets of India, asking them to spell Linux and if they are able to, just give them a contract.  So, a lot of these guys have no idea what they are doing...
The list of problems just goes on like the time difference, other customs, ...

Ok, the solution to this was: near-shoring.  Don't look too far, maybe some of the problems will disappear if we are closer to home ... they didn't ...

Now, for the first time in 10 years, I see an evolution in the opposite way.  I also see opportunities.  Tools like jenkins, puppet, ... they give us the opportunity to drastically increase our efficiency.  I think we need to focus on showing the IT world that we can have a big advantage over *-shoring because, we have the knowledge and the expertise to create a new way of working...  If my sense of the future is correct, I think this will save our jobs.

But, as always, time will tell.