Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Cyberwar


Cyberwar

Author
Message
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)

Group: General Forum Members
Points: 739 Visits: 1176
Nadrek (11/11/2013)
All coding aside, in many to most of our cases, the real question is:

What is the best business case to present to management on why the increased cost, lengthened timelines, increased developer skill requirements, increased testing, and other limitations secure coding entails are worthwhile, and to what degree?


Good question, but one I fear has no answer. The terrorist attacks on 9/11 resulted in numerous companies going out of business due to poor disaster planning. Companies still do not grasp the risk. Security is basically the same thing. Unless the people at the top can be made to understand the risk, they aren't going to do anything about it. I don't believe it is possible to make most of the people in charge understand. Most corporate leaders come from finance and sales roles, not technical roles. They focus on increasing sales and profits, decreasing costs. Spending money on IT has always been hard to justify, because the ROI never seems to materialize. Reduced labor costs don't come true due to people being reassigned once automation takes care of something they used to do. Showing an ROI on a security investment? I just don't see that happening right now. Once enough companies are made to feel the pain of not securing their infrastructure, maybe others will start doing so. Proving the value now is probably not possible given how leaders tend to value investment.

Dave
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36150 Visits: 18751
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Nadrek
Nadrek
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1033 Visits: 2673
Steve Jones - SSC Editor (11/11/2013)
If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

... though many business people might prefer to roll the dice that their information will not be lost/copied.


Clearly, many people do not yet have the skills and knowledge - gaining such does that time, money, and slows down projects, since they would "work" insecurely just as well as they "work" securely.

That last comment is exactly on target, though - security comes in three basic flavors:
1) (At some point in time) You lose your data and/or you lose your systems, you lose your customers, you lose your membership, and you go out of business.
2) (At some point in time) You lose some of your data and/or you lose some of your systems, you lose some of your customers, you spend a lot on immediate remediation, and you suffer reduced business and/or increased cost of doing business
3) (At some point in time) You fail to lose some of your data and/or some of your systems.

It's essentially the same set of arguments as dealing with natural disasters, fires, and so on, without the loss of life and usually without the physical destruction of property.
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8358 Visits: 6161
Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36150 Visits: 18751
Gary Varga (11/11/2013)

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


Yes, but password management, authentication, secure coding for sql calls, all of these techniques and skills exist. If we all used them from the beginning, as part of our habit, the effort in planning and engagement would be much, much lower.

I'm not saying all security decisions can be removed, but lots can.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)

Group: General Forum Members
Points: 739 Visits: 1176
Gary Varga (11/11/2013)
Dave, not trying to start an argument. It sounded as though you were saying that there is no point starting now as it is already too late but I now think you may have meant that there is no point after a breach has been committed. I guess it may be too late after a breach has been committed but a resolution still should be attempted.

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


I do not read what you wrote as trying to start an argument. No worries at all.

I think I am the one who is having difficulty describing my point. Let me do it another way. If we take an example where a company has not done anything to date, and so they begin today to figure out what needs to be done. Next week they start fixing things. They know it will take 6 months to do so. If in 1 month they get hacked, and the result of the hacking is that they end up closing their doors permanently, then my point is it was too late.

That does not mean we shouldn't try. On the contrary, I am trying to convey the point that even starting now may be too late, but of course we can hope it isn't too late. I fear in some cases, we are so far past where we need to be, that some companies simply can't afford what it is going to take to fix things.

I did not intend to convey an opinion that it is too late to start. I also do not mean to convey that it is too late after a breach has occurred, odds are everyone has had a breach anyhow. i am simply trying to convey that regardless of when we start, in hindsight we may find it was too late, that we should have started earlier.

Now, if this isn't clear enough, I am going to just give up. I know what I want to say, but me thinks I am failing!

Next, you expressed exactly what I was going to attempt to say in regards to Steve's comment, but I gave up as I did not want to sound critical of his points. I agree with Steve that we should try, just that there are costs whether we see them or not. You said it better than I was going to.

Dave
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36150 Visits: 18751
djackson 22568 (11/11/2013)


I think I am the one who is having difficulty describing my point. Let me do it another way. If we take an example where a company has not done anything to date, and so they begin today to figure out what needs to be done. Next week they start fixing things. They know it will take 6 months to do so. If in 1 month they get hacked, and the result of the hacking is that they end up closing their doors permanently, then my point is it was too late.

That does not mean we shouldn't try. On the contrary, I am trying to convey the point that even starting now may be too late, but of course we can hope it isn't too late. I fear in some cases, we are so far past where we need to be, that some companies simply can't afford what it is going to take to fix things.

I did not intend to convey an opinion that it is too late to start. I also do not mean to convey that it is too late after a breach has occurred, odds are everyone has had a breach anyhow. i am simply trying to convey that regardless of when we start, in hindsight we may find it was too late, that we should have started earlier.

Now, if this isn't clear enough, I am going to just give up. I know what I want to say, but me thinks I am failing!

Next, you expressed exactly what I was going to attempt to say in regards to Steve's comment, but I gave up as I did not want to sound critical of his points. I agree with Steve that we should try, just that there are costs whether we see them or not. You said it better than I was going to.


Pretty clear, and makes sense to me. It will be too late for some, not for others. Ultimately you never know until you close your doors.

In terms of costs, for some it's minor, some it's easily doable over time, some it's not cost effective at all.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)SSC-Forever (45K reputation)

Group: General Forum Members
Points: 45129 Visits: 39923
Steve Jones - SSC Editor (11/11/2013)
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.


I think this is the perfect justification for the implemenation of standards and 100% code reviews. It also justifies special test software that will test the begeesus out of your applications for "penetration". We do both.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)

Group: General Forum Members
Points: 739 Visits: 1176
Jeff Moden (11/11/2013)
Steve Jones - SSC Editor (11/11/2013)
I'd still argue this is more an internal developer professionalism issue more than a business case.

We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.

If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.

In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.


I think this is the perfect justification for the implemenation of standards and 100% code reviews. It also justifies special test software that will test the begeesus out of your applications for "penetration". We do both.


Jeff, it would seem you are fortunate to work for someone who understands the real world. I am happy for you! I only wish the attitude your company has was more prevalent. Sadly, both businesses and countries seem to frequently ignore it.

Dave
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8358 Visits: 6161
Steve Jones - SSC Editor (11/11/2013)
Gary Varga (11/11/2013)

Steve, sorry but I disagree. Yes, examples should be complete including best security practices where appropriate, however, it does have an impact on effort. Security needs planning, design and testing. Also it may need infrastructure as well as investment in hardware and/or software. Then there is maintenance, management and training. And after all that I still believe it is a sound investment.


Yes, but password management, authentication, secure coding for sql calls, all of these techniques and skills exist. If we all used them from the beginning, as part of our habit, the effort in planning and engagement would be much, much lower.

I'm not saying all security decisions can be removed, but lots can.


In the context of SQL Server, yes. And I guess as this is SQLServerCentral.com then that is default context but it often exists in the overall stack of an application and we must remember that it can be more complex and therefore costly (not just monetarily).

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search