Online trading site was left wide open

http://www.theregister.ca/2007/10/25/online_trading_pen_test/

The comments about whether or not the coders are responsible or should have raised red flags is interesting.

But my say is that part of the problem is in the style of project management. I was fortunate that my early work in military avionics DID give the lower level people a context view. (And you wonder why I say “Context is everything“?) In later jobs where I was compartmentalized and told “you don’t need to know the big picture, just code your bit” I found two things. One – that it was very frustrating and two – that by looking at the big picture I could produce something more effective even in my little corner. Oh, and three – I could see systemic and strategic flaws, which usually upset the ‘senior’ people who should have caught them in the first place.

We have critics of the CISSP certification who claim that its not technical enough. But really our job is not secure coding but secure SYSTEMS.

As in: Certified Information SYSTEMS Security Professional

Like the (ISC)2 site says, ‘Security transcends technology’. Its not just about coding but the whole security stance. Security is everyone’s responsibility.

But suppose that a coder does raise a red flag and management – whatever level – turns round and reprimands them for questioning a poor, incomplete, ambiguous or just plain wrong spec? I’ve seen such specs bring down a company here in Toronto because when all the parts come together it doesn’t work. Writing specs for a larger project is not easy. It requires a particular ‘vision’ and discipline.

One of the comments to the article says:

It’s up to the people who have the overview – the architects and senior
developers – to make sure the spec given to coders meets the real
requirements. So definitely, hang the architect out to dry.

Although what probably happened is that the customer didn’t bother with a
qualified systems architect. They took Joe from accounting who has a
computer at home and is therefore an expert, had him draw up the spec, which
was then forwarded to coders directly.

Yes, I’ve seen that happen – many times. A cobbled together database in dBASE gets scaled up to Oracle … and things go very wrong because it wasn’t ‘designed’ and not thought was given to the complete set of ‘use cases’. Or Visual Basic, or javascript or some other “easy to use” tool in the hands of people who don’t have a complete understanding.

Read the rest of the comments to the article for yourself. There’s a lot there that is pertinent to coding and to banking.

About the author

Security Evangelist

Leave a Reply