Let’s Get it Right – It is Writing Proper Code, not Secure Code!

As a CISO, I grow weary hearing that developers need to be trained in how to write secure code. 

A whole industry around ‘writing secure code’ has sprung up. From academia (U of Illinois at Springfield, UVA, Purdue, GMU, Princeton, Penn State, U of Wash, U Cal Berkley, Vanderbilt, to name a few), to information security training and product companies. Books are being written on the subject. Millions are being made on writing secure code. Unless you are in the DoD, NSA, CIA or protecting ring zero, you are not writing secure code.

Everyone wants to teach you how to write secure code. Well, I refuse to allow anyone thru doors unless they want to teach developers how to write proper code. 

Other CISO’s are quoted:

“We train all our programmers in secure coding, and we follow the basic tenets of secure programming design and management…”

When a developer does not validate input, it is not a security bug. It is a developer’s defect. When programmers do not enforce restrictions on authenticated users, it is not a security bug. When error conditions are not handled properly, it is not a security bug.    When developers do not learn how to properly code cryptographic functions within their code, it is not a security bug. When devices are not configured properly, it is not a security bug. When applications fail open it is not because of a security bug. It is because of poor architecture, design and development.

What it comes down to is improper coding techniques and immature infrastructure environments that can be properly configured. Let’s start focusing on where the problems really reside and get CIO’s and others to recognize that it is all about writing proper code and configuring their environments the right way. The fire drill is getting old.