Don't lay all the blame for insecure systems on the developers

It’s good to see the subject of secure development, and in particular the most serious coding issues that crop up within websites, making the mainstream news. See Dangerous coding errors revealed at

It’s a good and comprehensive list, although by no means anything new. For example, I wrote about application security standards, referring to much of what’s in the list, back in 2004 in an article for Computers & Security Magazine (which according to this link will cost you $31.50 to download. Worth every cent too!), and application security has been a recurring theme of this blog. OWASP – the Open Web Application Security Project – first published it’s top ten security issues list back in 2001. There’s nothing now that’s new; some variants of the same issues, but it’s fundamentally a list that probably could just as easily have been published 15 or 20 years years ago.

A point I made a while ago (see here and elsewhere on this blog) is that the onus of secure online systems does not just live with the developers. They can’t do it all: the systems are too complex, and the attacks becoming too sophisticated. Training the developers to write secure code is merely one layer in the defences. Training up the QA guys on how to write and test a decent set of use and abuse cases is another. Having a secure network, patched and hardened, with an application firewall is another. It’s an expensive business.

Complexity is, as they say, the enemy of security. The last system I reviewed was a mixture of newly written .NET code, some legacy Cold Fusion, integrated with half a dozen third party components, pushing data out to the “cloud”, pulling data in from various third party feeds, all connected up to in-house back-end databases, enterprise search systems, and a third party CMS. How many lines of code in that lot? In fact, just defining the scope for testing of security is difficult enough.

Giving the developers a list of issues to look out for is fine, and I’m all for it. But it’s not the solution.