The other day, I was reading about hacking attacks. SQL injection, Metasploit, Cross site scripting, insecure serialization etc. etc.
During the discussion, suddenly the topic of discussion shifted to why the big companies & organizations get hacked. Answer of the host was … It’s developers fault.
It’s the developers fault? What?. This really upset me.
According to him, If we check out the history, most of the attacks happened in the past has been application based.
The insecure code. Most of the developers do not know how to write code that is secure. I am no different. It’s because universities don’t teach how to write better, secure code, they don’t teach about vulnerabilities and exploits. THEY DON’T !!!
The problem doesn’t end there, day by day, we’re writing more code. More code means more vulnerabilities. Because we developers have to write so much code and so much faster, we do stupid things. This really scares me…
As usual, developer looks to be a culprit here…I just don’t believe it’s true. it’s not only developers fault. Lemme tell you the real problem.
Traditionally when every other application was developed, It had to go through iterations. Developers will strictly write code the whole application -> it would go to server team to host it -> and then it would go to network team to host it on proper network -> it would go to quality control to make sure there’s no bugs -> and then we had security team to find flaws in it.
This took almost a year to release the software product and mind it, release in a year is pretty fast. But we want our software’s now. Tomorrow.
They went from big modular design to micro-services design. Lot of companies do this and it’s great. It helps developers to deliver features faster. But there’s problem. Instead of hosting my app/software on server that my server team previously built for us, we’re handing that to developer.
Containers, docker, these things have made it easier to deploy things on cloud. A place which is no different than someone else’s server.
So now we don’t need server team anymore, deploying is easier, developers would do that for us. And network team? who needs network team, its all managed by our cloud.
Well..why do we have a server team? Because they are specialized people in server management. They know how to do stuff right, because knowing how to properly deploy a server, making sure that it runs well all the time..is a skill…that’s why we had a team dedicated to it.
Same goes for networking team, quality control team, security team … but NO! we have docker containers, we have cloud and most importantly now our developers can deploy apps and software’s with the click of a button.
Developers are good at writing code, they aren’t good at deploying servers !! Come on !!
So what ends up happening is we deploy containers and servers that are not deployed as per the best practices, that are not deployed by professionals in the job…and that opens up lot of opportunities for hackers. They just need one little mistake to exploit whole network…
With this new agile mindset, developers get expected to deliver faster, manual human tested things are replaced by automated tests….. A mysterious place where developers are everything. They are environment owners, network admins, server admin, feature owner and what not….that’s scary !!
Lemme say that it can not be like ‘let’s let our developers be admins. let them learn new skills.’..
No!! let them do their job. Let them do the development…on the other hand answer is also not like ‘let’s go back to traditional processes where software’s used to be released in a year’…
So what do we do?
I really really appreciate the kind of processes managed by my current organization for development. The process is that they don’t commit the whole feature at a time. Developers write their code, they check it in the dev environment, before actually committing, bunch of automated tests run to make sure that the piece of code I wrote, it doesn’t break anything on the environment and then it get’s committed. We do that piece by piece and boom, feature gets completed.
It’s kind of crazy right? No !
This is precisely why things like these scare me the most. Yes, it’s very cool that we’re automating the process and we’re able to deploy our code so much quicker, my biggest fear is that in attempts to make things faster, we’re making ourselves insecure.
Roles of server team, quality control teams are slowly shifting to the left on developers hands. Developers are able to thereby bypass lot of these teams for the sake of being fast.
We have to ask ourselves…’Is that code safe’? , ‘Are we deploying our apps and software’s in the containers that are secure?’, ‘Are our containers talking over right network?’, ‘Are they calling things that they shouldn’t?’…
Why are we doing this to developers? Yes there are some gifted developers who have these kind of skillsets but lot of them don’t !!!! They’re not experts …
I mean how many examples should I show you that I can run simplest attacks like SQL injection, Cross site scripting on my dev environment and they work !!!
Answer to this is same as our problem. Automation.
We don’t need to make our developers feature owners, security engineers…let them be good at coding. Let them do their job. If we want to be faster, we should make sure that our processes are designed to make this more secure.
We should give all the responsibilities that we’re unnecessarily putting on developers back to the teams that deserve those. Every team should do their own work and no extra.
Why does a new developer, who had joined recently need to schedule meetings with your senior engineers to decide scopes for your feature? Why can’t your managers do that ahead of time? why your developer had to be a feature owner and has to update all your documentation along the way?
Look I’m not against any of the processes. I know these things haven’t come out of the blue, these processes were well thought but days are different now. There’s huge competition going out there in the world. It’s a time where you launching your product 5 minutes ahead of your competitor could benefit you a lot …
I understand this all but my problem is, we are creating opportunities for hackers in the process of developing more.
Deliver less but have enough specialized resources that do their dedicated job well and reduce developer responsibilities.
You should have people in the middle of developers and deployments. People that has developer mindset but also know IT operations.
A MAN IN THE MIDDLE … to stop MAN IN THE MIDDLE attacks !!!