In-Depth

Development Environment Detrimental to Application Security

A dangerous developer mentality can lead to mistakes that leave the most precious of applications susceptible to hackers

• By Jason Turcotte
• 08/08/2006

Like a game of chess, application security boils down to a series of attacks and countermoves, and developers need to do what they can during production before they become another hacker’s pawn. With today’s high-pressure dev environments and developers’ overestimation of abilities, one expert says security is easier said than done.

Rob Byrne, a seasoned security application developer formerly with PeopleSoft and IBM, and who now serves as vice president of engineering at nCircle, calls the can-do-all attitude the “optimistic-engineer scenario,” citing a dangerous developer mentality that leads to mistakes that leave the most precious of applications susceptible to hackers.

“Developers by nature are, for the most part, introverts and they take input from the Web or other developers,” Byrnes says. “What they don’t take in is a broader awareness of the product they’re writing for. … Sometimes what can sound very easy on a PowerPoint slide can be a very difficult process engineering-wise.”

Byrne says developers don’t always understand what they’re creating; they build what people want but not what they need. He says they need to think beyond the application and apply knowledge of the business and the customer services they’re building for.

This narrow view Byrne chalks up to inexperience. The veteran developers he works with typically have a better understanding of the application’s relationship with the end user. Inexperienced developers, he says, often bite off more than they can chew, cut corners in the face of looming deadlines, and devote too little time to testing and QA. Byrne says it takes years before a developer learns to see a product through a “non-engineer’s eyes.”

He suggests security be a key component of best practices during the software development and testing process. Byrne advises that vulnerabilities be examined within each piece of architecture, and layers below each application secured as much as the application itself. Hardening one’s operating system is just as crucial as the more obvious security approaches. He says developers must disable services not paramount to the application to prevent back-door intrusions and to close any superfluous ports. Password expirations, lockouts, input validation, and administrative privileges are other ways to secure an application. Byrne also cautions building error messages that are too revealing to hackers.

Byrne says it’s crucial for developers to begin building on the right foot. “The earlier in the process you make a mistake, the more costly and the more difficult it is to fix it.”

Byrne has more than two decades of experience in product development. Before joining nCircle (http://www.ncircle.com), he oversaw management of the development for IBM’s DB2 query optimizer and contributed to the development of on-board flight control software for NASA shuttles and space-station data systems. Through his experiences in application security, he has learned security is at its strongest when the developer thinks like the hacker.

“You need to be thinking about the security of your product as those who are trying to attack it are,” Byrne observes. “There’ll be people up all night, every night, trying to figure out how to get through what you’ve done.”