SQLServerCentral Article

A few reflections on security by a weary application developer


I am an application guy, but I am also a CISSP - Certified Information Systems Security Professional. I come by this credential honestly, programming systems that take credit card payments. Application guys want your money, oh yes, we do. We take great pains to remove all obstacles in getting it.

I wish that you could see my colleagues at a CISSP chapter meeting. There is a guy who developed the security layer for a major e-commerce website back in the 1990's. His hair is salt-and-pepper and his smartphone ringtone sounds like a dial-up modem. That guy over there is VP of IT Security for a popular security appliance vendor. He has the FBI cybersecurity field office on speed dial. Right there is a woman, a colonel in the Air Force. She is in charge of security for one of the most secure websites on SIPRNet. If you fall into her honeypot, they don't file a lawsuit; they shoot a drone missile into your kitchen while you are eating your Post Toasties.


But remember, I am an application guy. I am trying to get your money. To be honest, these security Rambo's kind of scare me. They are definitely an impediment to my goal, which is to get your money.

The last time I looked, about 4 seconds ago, in order to get your money, I have to deliver some kind of value. There are many ways that my applications can deliver value. Talking e-commerce, the best way is by providing useful and actionable information. In other words, application guys such as I, who want your money, are at complete and utter odds with the security goons. I want to open up your access; they want to restrict it. If I open up my system and provide more data, I get more money. Yay for me, I win! The security goons want to stamp on your puny little skull and watch you writhe in the dust, with no access to data. In the data security world, they win. Cretins all of them; they don't care about your money.

Which of us is right, application guys or security goons?

In my view, the answer lies in the proper exercise of threat analysis. The security goons always want to put the servers in a locked concrete bunker and unplug them from the grid. Perfect security! Application guys want to open them to the world. Perfect access! The real answer lies somewhere in the middle, governed and informed by the value of the data and the revenue potential that the application developers can obtain.

I love my CISSP colleagues, I really do. I hope that we can come to a rapprochement. I will support your data security goals, I really will. You will bite your tongue and support my revenue goals. Deal?