Tuesday was a beautiful spring morning and I got the train up to London. The English countryside looked gorgeous and green in the sun and the haze. A tube strike of course and people thronged the streets waiting for buses. Ah, after decades of Corsets, Cash ISAs, and Caffe Latte, England is finally getting back to normal. About time the dustmen went on strike again isn’t it? Bring back the GLC.
I was heading for Infosec, the Information Security exhibition at Earl’s Court. I’m an old hand at this now: Quick sausage sandwich, a cup of coffee then a walk round the stands to see what’s current. The main point of these trips for me is to attend the education seminars. Not much really new to report but it’s still worth a look.
Advanced Persistent Threats are really just all the other threats put together and undertaken by governments in a relentless manner. The Stuxnet worm which attacked the centrifuges in nuclear processing facilities in Iran is an example.
People Talk a lot of Bollocks in Information Technology these days and part of this comes about because the industry is changing so fast. New themes emerge and people race to name them. The names get taken up by salesman who repeat them before the industry has really figured out what they mean. Cloud used to suffer in this respect though it is generally more understood these days. A seminar entitled “Actionable intelligence: Building a holistic security threat intelligence capability” demonstrated to me that the panel had not really understood the meaning of Actionable or Holistic.
A seminar entitled “‘Applification’ of business and implications for security: Securing software development” was interesting if a little meandering. The panellists discussed very pertinent issues around the security of software development. Security is often seen as a bolt on, developers are seldom given security requirements in the functional specs and, though one guy said that all developers should be security specialists, they all had to admit that finding good developers was difficult enough; finding security aware developers was almost impossible.
One pundit contrasted software development with engineering and this goes to the heart of why we still find IT systems which are not adequately secured. I recall working for an oil company close to where oil was “lifted”. A flare had been set up and, after discussing this with an engineer, I realised that he had not just stuck a pipe in the ground and hoped. He had been trained how to handle flares safely. He’d performed a formal safety assessment. What type of gas? How much gas? What was the location? He had then consulted his training or possibly relevant standards and created a mechanism with strictly defined materials, tolerances and capabilities.
This rarely happen in software development or IT projects in general. There is no recognised standard for software developers. There is no industry wide accepted training path that is comparable to engineering. Yes, standards, training and qualifications exist but they are not prerequisites. They are something to boost a CV. The main problem is that technology and the industry are still changing so quickly that standards and qualifications become redundant before they can get a grip. Further, software developers still regard themselves as creative. They like to invent clever new ways to do something where an engineer, though obviously creative, is more restricted in what he can get away with especially when safety is involved.
Probably the reason that standard are more easily enforced in engineering is that the outcomes are far more visible. If the gas flare mentioned earlier had resulted in a huge flame blowing dangerously close to a building then everyone would have known about it but a software short cut or “innovative” coding could go unnoticed until a vulnerability is finally exploited by an attacker.
The proliferation first of mini-computers and then PCs meant that many organisations chose to run their own IT functions and this led to a lot of inexperienced and unqualified people in the industry. I should know. It’s how I started. The on-going migration of software services to the Cloud may help by concentrating computing at locations where the technology and configurations can be standardised, the staff adequately trained & qualified and the overall organisation audited to ensure compliance with industry best practice.
But change is ubiquitous in IT and many of the most innovative companies are small so we can expect software development to continue in hothouse start-ups rather than mature, standard bound organisations. We should also be careful what we wish for. Many of us got intoIT because of the creative aspects and this was underlined last week by an article in The Guardian in which developers look back at BASIC computer language which is now 50 years old.
Security, reliability and availability vs fun and flying by the seat of your pants. Tough choice.