Developers: Think Like a Hacker to Beat a Hacker
- By Jason Turcotte
- August 2, 2006
Like a game of chess, app security boils down to a series of attacks and countermoves, and developers need to do what they can during production before they become another hacker’s pawn. But with today’s high-pressure dev environments and developers’ overestimation of abilities, one expert says security is easier said than done.
Rob Byrne, a seasoned security app developer formerly with PeopleSoft and IBM, who now serves as vice president of engineering at nCircle, calls the can-do-all attitude the “optimistic-engineer scenario,” citing a dangerous dev mentality that leads to mistakes that can leave the most critical of apps susceptible to hackers.
“Developers, by nature, are for the most part introverts and they take input from the Web or other developers,” Byrne says. “But what they don’t take in is a broader awareness of the product they’re writing for—sometimes what can sound very easy on a PowerPoint slide can be a very difficult process engineering-wise.”
Byrne says developers don’t always understand what they’re creating; they build what people want but not what they need. He says they need to think beyond the app and apply knowledge of the biz, and the customer services they’re building for.
This narrow view Byrne chalks up to inexperience. The veteran developers he works with typically have a better understanding of the app’s relationship with the end user. An inexperienced developer, he says, often bites off more than he can chew, cuts corners in the face of looming deadlines and devotes too little time to testing and QA. And Byrne says it takes years before a developer learns to see a product through a “non-engineer’s eyes.”
He suggests security be a key component of best practices during the software dev and testing process. Byrne advises that code be examined within each piece of architecture, and layers below each app secured as much as the app itself. Hardening one’s operating system is just as crucial as the more obvious security approaches. He says developers must disable services not paramount to the app to prevent backdoor intrusions and close down any superfluous ports. Password expirations, lockouts, input validation and administrative privileges are other ways to secure an app. Byrne also cautions building error messages that are too revealing to hackers.
And Byrne says it’s crucial for developers to begin building on the right foot. “The earlier in the process you make a mistake, the more costly and the more difficult it is to fix it.”
Byrne has more than two decades experience in product development. Before joining nCircle, prior endeavors included overseeing management of the development for IBM’s DB2 query optimizer, development contributions to the on-board flight control software for NASA shuttles and space station data systems. And through his experiences in app security he has learned security is at its strongest when the developer thinks like a hacker.
“You need to be thinking about the security of your product as those who are trying to attack it are,” Byrne said. “There’ll be people up all night, every night, trying to figure out how to get through what you’ve done.”
Jason Turcotte is an assistant editor at Application Development Trends. He can be reached at [email protected].