Data Driver

Blog archive

Is Security Worth Risking Your Job?

It's 1:30 a.m., you're sweating bullets and your head is pounding. You can feel the stress wracking your body as you try to concentrate. The code-complete deadline for your part of the module is coming up, and the bean-counters are on everyone's back. Product has to ship on time -- period.

You've almost got that last, thorny problem licked, but testing all the different security scenarios with this new cloud-based database-conversion tool takes soooo much time. A potential "connection string pollution" vulnerability has popped up in the back of your mind, but you're unsure how dangerous it is -- or even if it's possible. It's a brand-new threat. It will take forever to investigate.

What the heck. No one will ever find it. You can't be the one holding things up -- again. There are thousands of talented coders out there who would jump at the chance to slide into your job at half your salary. You've got mouths to feed. Let QA worry about it.

Could this happen? Has it? Who's to blame for the sorry state of application security these days?

Here's a chilling quote:

"Security is not something app developers have prioritized in the past. Their focus has been getting a product that has a competitive edge in terms of features and functionality to market as quickly as possible. That's not a criticism, it's just a factor of commercial priority."

That just happens to have come from the world's biggest app dev shop, shipping more "product" than anyone else: Microsoft. David Ladd, principal security program manager at Microsoft, said it in a news release earlier this week announcing that the company is "helping the developer community by giving away elements of its Security Development Lifecycle process."

It couldn't come at a better time. "Today, in the middle of the worst economic downturn in thirty years, information security has an enormously important role to play," reads the 2010 Global State of Information Security Survey from PricewaterhouseCoopers.

"Not surprisingly, security spending is under pressure," the report states. "Most executives are eyeing strategies to cancel, defer or downsize security-related initiatives."

But the report is generally optimistic, finding that "Global leaders appear to be 'protecting' the information function from budget cuts -- but also placing it under intensive pressure to 'perform.' "

That makes sense to me. It would have to be the short-sighted executive indeed who would risk all the associated costs of a data breach just to meet a deadline. How bad can those costs be? Just ask TJX.

Then again, that executive has mouths to feed, and "commercial priority" and "intense pressure to perform" could cloud judgment.

What about your shop? Where do the priorities lie? Know any juicy stories about security breaches caused by economic pressures? I'd love to hear about it. Comment here or send me an e-mail. But for goodness' sake, don't put any sensitive information in it. There are bad guys out there.

Posted by David Ramel on 02/04/2010 at 1:15 PM


comments powered by Disqus

Featured

  • Microsoft's Tools to Fight Solorigate Attack Are Now Open Source

    Microsoft open sourced homegrown tools it used to check its systems for code related to the recent massive breach of supply chains that the company has named Solorigate.

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

Upcoming Events