Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Cyberwar Expand / Collapse
Author
Message
Posted Monday, November 11, 2013 9:46 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Thursday, September 11, 2014 10:02 AM
Points: 482, Visits: 796
Nadrek (11/11/2013)
All coding aside, in many to most of our cases, the real question is:

What is the best business case to present to management on why the increased cost, lengthened timelines, increased developer skill requirements, increased testing, and other limitations secure coding entails are worthwhile, and to what degree?


Good question, but one I fear has no answer. The terrorist attacks on 9/11 resulted in numerous companies going out of business due to poor disaster planning. Companies still do not grasp the risk. Security is basically the same thing. Unless the people at the top can be made to understand the risk, they aren't going to do anything about it. I don't believe it is possible to make most of the people in charge understand. Most corporate leaders come from finance and sales roles, not technical roles. They focus on increasing sales and profits, decreasing costs. Spending money on IT has always been hard to justify, because the ROI never seems to materialize. Reduced labor costs don't come true due to people being reassigned once automation takes care of something they used to do. Showing an ROI on a security investment? I just don't see that happening right now. Once enough companies are made to feel the pain of not securing their infrastructure, maybe others will start doing so. Proving the value now is probably not possible given how leaders tend to value investment.


Dave
Post #1513185
Posted Monday, November 11, 2013 9:58 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:16 PM
Points: 31,018, Visits: 15,456
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1513192
Posted Monday, November 11, 2013 10:05 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Monday, September 15, 2014 11:09 AM
Points: 869, Visits: 2,399
Steve Jones - SSC Editor (11/11/2013)
If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

... though many business people might prefer to roll the dice that their information will not be lost/copied.


Clearly, many people do not yet have the skills and knowledge - gaining such does that time, money, and slows down projects, since they would "work" insecurely just as well as they "work" securely.

That last comment is exactly on target, though - security comes in three basic flavors:
1) (At some point in time) You lose your data and/or you lose your systems, you lose your customers, you lose your membership, and you go out of business.
2) (At some point in time) You lose some of your data and/or you lose some of your systems, you lose some of your customers, you spend a lot on immediate remediation, and you suffer reduced business and/or increased cost of doing business
3) (At some point in time) You fail to lose some of your data and/or some of your systems.

It's essentially the same set of arguments as dealing with natural disasters, fires, and so on, without the loss of life and usually without the physical destruction of property.
Post #1513194
Posted Monday, November 11, 2013 12:11 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:37 AM
Points: 5,425, Visits: 3,161
Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1513216
Posted Monday, November 11, 2013 12:23 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:16 PM
Points: 31,018, Visits: 15,456
Gary Varga (11/11/2013)

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


Yes, but password management, authentication, secure coding for sql calls, all of these techniques and skills exist. If we all used them from the beginning, as part of our habit, the effort in planning and engagement would be much, much lower.

I'm not saying all security decisions can be removed, but lots can.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1513221
Posted Monday, November 11, 2013 12:24 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Thursday, September 11, 2014 10:02 AM
Points: 482, Visits: 796
Gary Varga (11/11/2013)
Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


I do not read what you wrote as trying to start an argument. No worries at all.

I think I am the one who is having difficulty describing my point. Let me do it another way. If we take an example where a company has not done anything to date, and so they begin today to figure out what needs to be done. Next week they start fixing things. They know it will take 6 months to do so. If in 1 month they get hacked, and the result of the hacking is that they end up closing their doors permanently, then my point is it was too late.

That does not mean we shouldn't try. On the contrary, I am trying to convey the point that even starting now may be too late, but of course we can hope it isn't too late. I fear in some cases, we are so far past where we need to be, that some companies simply can't afford what it is going to take to fix things.

I did not intend to convey an opinion that it is too late to start. I also do not mean to convey that it is too late after a breach has occurred, odds are everyone has had a breach anyhow. i am simply trying to convey that regardless of when we start, in hindsight we may find it was too late, that we should have started earlier.

Now, if this isn't clear enough, I am going to just give up. I know what I want to say, but me thinks I am failing!

Next, you expressed exactly what I was going to attempt to say in regards to Steve's comment, but I gave up as I did not want to sound critical of his points. I agree with Steve that we should try, just that there are costs whether we see them or not. You said it better than I was going to.


Dave
Post #1513222
Posted Monday, November 11, 2013 4:15 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 4:16 PM
Points: 31,018, Visits: 15,456
djackson 22568 (11/11/2013)


I think I am the one who is having difficulty describing my point. Let me do it another way. If we take an example where a company has not done anything to date, and so they begin today to figure out what needs to be done. Next week they start fixing things. They know it will take 6 months to do so. If in 1 month they get hacked, and the result of the hacking is that they end up closing their doors permanently, then my point is it was too late.

That does not mean we shouldn't try. On the contrary, I am trying to convey the point that even starting now may be too late, but of course we can hope it isn't too late. I fear in some cases, we are so far past where we need to be, that some companies simply can't afford what it is going to take to fix things.

I did not intend to convey an opinion that it is too late to start. I also do not mean to convey that it is too late after a breach has occurred, odds are everyone has had a breach anyhow. i am simply trying to convey that regardless of when we start, in hindsight we may find it was too late, that we should have started earlier.

Now, if this isn't clear enough, I am going to just give up. I know what I want to say, but me thinks I am failing!

Next, you expressed exactly what I was going to attempt to say in regards to Steve's comment, but I gave up as I did not want to sound critical of his points. I agree with Steve that we should try, just that there are costs whether we see them or not. You said it better than I was going to.


Pretty clear, and makes sense to me. It will be too late for some, not for others. Ultimately you never know until you close your doors.

In terms of costs, for some it's minor, some it's easily doable over time, some it's not cost effective at all.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1513289
Posted Monday, November 11, 2013 4:22 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 1:47 PM
Points: 35,215, Visits: 31,667
Steve Jones - SSC Editor (11/11/2013)
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.


I think this is the perfect justification for the implemenation of standards and 100% code reviews. It also justifies special test software that will test the begeesus out of your applications for "penetration". We do both.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1513292
Posted Monday, November 11, 2013 4:52 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Thursday, September 11, 2014 10:02 AM
Points: 482, Visits: 796
Jeff Moden (11/11/2013)
Steve Jones - SSC Editor (11/11/2013)
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.


I think this is the perfect justification for the implemenation of standards and 100% code reviews. It also justifies special test software that will test the begeesus out of your applications for "penetration". We do both.


Jeff, it would seem you are fortunate to work for someone who understands the real world. I am happy for you! I only wish the attitude your company has was more prevalent. Sadly, both businesses and countries seem to frequently ignore it.


Dave
Post #1513303
Posted Tuesday, November 12, 2013 2:44 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:37 AM
Points: 5,425, Visits: 3,161
Steve Jones - SSC Editor (11/11/2013)
Gary Varga (11/11/2013)

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


Yes, but password management, authentication, secure coding for sql calls, all of these techniques and skills exist. If we all used them from the beginning, as part of our habit, the effort in planning and engagement would be much, much lower.

I'm not saying all security decisions can be removed, but lots can.


In the context of SQL Server, yes. And I guess as this is SQLServerCentral.com then that is default context but it often exists in the overall stack of an application and we must remember that it can be more complex and therefore costly (not just monetarily).


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1513370
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse