Start today, secure tomorrow.
The South by Southwest event in Austin Texas featured a conference call on stage between Edward Snowden and Christopher Soghoian, privacy researcher and activist. During this conference call Snowden called developers the firefighters of the internet. He stated that agencies such as the NSA are “setting fire to the future of the internet”. Soghoian replied by saying: “We need to lock things down. We need to make services secure out of the box. It’s going to require a rethink from developers”. Snowden replied and said he would like to see developers increase security of software. He added that developers should work to make encryption easily available and easy to use for the masses.
According to Snowden, encryption is the only protection from agencies like the NSA, which, he claims, harm the integrity of the internet. Developers should focus on fighting this by creating more secure software.
The mentioned “rethink” is going to be a tough job: the focus of development has always been on functionality and efficiency. This means developers have always been educated (for the percentage that hasn’t taught themselves) to optimize code or to rapidly increase functionality. Because focus was on those two things for such a long time, it’s going to be tough to accomplish this major shift in the way developers approach security.
Whenever our pentesters get to test software for vulnerabilities, it’s often the same scenario: software gets tested right before it goes into production (or after!) to test if it’s ready for safe use. Basically this is what happens: according to client design a team of developers writes software. When they’re done, they ask us to test if their design and software was built secure. I’d like to illustrate the way I see this with the following analogy: what if we were to design and construct a dam? Would we wait until it’s done to see if any water comes through? We probably wouldn’t, as this is a ridiculous approach. We would most likely think about this during design and keep an eye on it during the construction of the dam. So why doesn’t this happen in software development?
The QODE network
In our ideal world we would like to prevent security flaws instead of finding them. That’s why we started the QODE network: to help create security awareness amongst developers and architects. QODE aims to raise awareness by enabling developers and architects to attend security events, meet leading security specialists and by organizing hands-on security workshops. In addition to the workshops, to increase security knowledge, QODE features a platform for Q&A about security. We wanted to start a community of developers and architects to increase focus on security during development.
The ultimate goal would be that software doesn’t need a pentest, but is secure right from the off. This might not be a goal that can be achieved. However, a large amount of the vulnerabilities can be prevented. This will only happen if security becomes integrated in development, developers rethink their craft and become the firefighters of the internet.