Difference between revisions of "Security"

From MgmtWiki
Jump to: navigation, search
(Problem)
(Problem)
 
(7 intermediate revisions by the same user not shown)
Line 7: Line 7:
  
 
==Problem==
 
==Problem==
*Security is not a feature of the internet, it is an add-on. Even current activity, like [[OAuth 2.0]] and [[OpenID Connect]] are successful, not because they are secure, but because developers like the freedom they offer. For details on that see the page [[Bearer Tokens Considered Harmful]].
+
*Security is not a feature of the internet, it is an add-on. Even current development activity, like [[OAuth 2.0]] and [[OpenID Connect]] are successful, not because they are secure, but because developers like the freedom they offer. For details on that see the page [[Bearer Tokens Considered Harmful]].
* [https://www.zdnet.com/article/study-shows-programmers-will-take-the-easy-way-out-and-not-implement-proper-password-security/ Study Shows Programmers Will Take the Easy Way Out and Not Implement Proper Password Security]."Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the necessary skills to develop a secure system from scratch."
+
* [https://www.zdnet.com/article/study-shows-programmers-will-take-the-easy-way-out-and-not-implement-proper-password-security/ Study Shows Programmers Will Take the Easy Way Out and Not Implement Proper Password Security]. (2019-03-09) "Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the necessary skills to develop a secure system from scratch."
 +
* The above quote is far too optimistic. The number of programmers with the "necessary skills to develop a secure system from scratch" is exceedingly small. The average programmer needs to start with a solution architecture that fully encompasses the necessary security. Unfortunately most programmers do not understand the complexity of good security and just decide to add it in later after they have demonstrated a successful product. That day when they have the time to address security issues typically does not come until after the security of the product in the hands of end-users is compromised.
  
 
==Solutions==
 
==Solutions==
 +
* It isn't that security is impossibly hard; the problem is that programmers are paid to deliver solutions on time. Since there is never enough time, there will never be any impetus for a programmer to deliver a secure solution. They deliver solutions that let them get home in time for dinner.
 +
* The only security solution that works in a capitalist society is to convince the CEO that they will suffer if the product is not secure. See the wiki page on [[Conduct Risk]].
  
 
==References==
 
==References==

Latest revision as of 09:27, 25 April 2021

Full Title or Meme

For the purposes of Identity Management Security applies to authorizing access only to the legitimately identified user and protection of User Private Information.

Context

  • Security in computer science covers a broad range of topics, like Availability that are not addressed in this wiki.
  • While some security experts might feel that, in theory, Privacy is a part of security. In practice security and privacy are often at odds and need to be addressed as separate issues by separate sets of proponents.

Problem

  • Security is not a feature of the internet, it is an add-on. Even current development activity, like OAuth 2.0 and OpenID Connect are successful, not because they are secure, but because developers like the freedom they offer. For details on that see the page Bearer Tokens Considered Harmful.
  • Study Shows Programmers Will Take the Easy Way Out and Not Implement Proper Password Security. (2019-03-09) "Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the Researchers at the University of Bonn in Germany have found that developers tend to write code that stores user passwords in an unsafe manner, because that is easier than creating a more secure product. The researchers conducted an experiment involving 43 programmers hired via the Freelancer.com platform, and found that developers need to be explicitly told to write code that stores passwords in a safe, secure manner. The researchers asked the participants to use technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component of a website. Only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor. In addition, 17 of the 43 developers copied their code from Internet sites, suggesting freelancers did not have the necessary skills to develop a secure system from scratch."
  • The above quote is far too optimistic. The number of programmers with the "necessary skills to develop a secure system from scratch" is exceedingly small. The average programmer needs to start with a solution architecture that fully encompasses the necessary security. Unfortunately most programmers do not understand the complexity of good security and just decide to add it in later after they have demonstrated a successful product. That day when they have the time to address security issues typically does not come until after the security of the product in the hands of end-users is compromised.

Solutions

  • It isn't that security is impossibly hard; the problem is that programmers are paid to deliver solutions on time. Since there is never enough time, there will never be any impetus for a programmer to deliver a secure solution. They deliver solutions that let them get home in time for dinner.
  • The only security solution that works in a capitalist society is to convince the CEO that they will suffer if the product is not secure. See the wiki page on Conduct Risk.

References