My Database Managment System Project

Blogs to track my database managment system project. The main target of this project is learning. I am not planning to compete with SQL server - At least not now!

My Photo
Location: Cairo, Egypt

I am an Eyptian developer @ optimize software company.

Tuesday, June 21, 2005

Security (cont)

As I mentioned in my last blog, security in general have some points of difficulty. In addition to those points, I have some points of difficulty that are special to my project. These points are:
1- Working alone:

Generally, creativity is related to looking at things from more than one point of view. The problem with the human mind, is that it always looks at things from one point (or points), and it ignores all other points. This is a nature of the human mind that you cannot override, regardless of how trained and experienced you are.

So for tasks that require some sort of creativity, it is always recommended to be done by more than one person. Many persons can look at a task from many points of view and decrease the flaws in it.

Security and design are the most creative activities in the software development process, so it is always recommended to be done by more than one person. Even if you are working alone on such tasks, put your design or code, leave it for one week and then take a look at it again. This can make you forget your design or code and then read it again to make a review for your work. Of course this is not like working in groups of more than one.

For security, it is recommended that developers review each other's code (peer review) to find security holes in the code or the design. This has the following benefits:

  • Every one is unconsciously focusing on few points and ignoring other points. When another developer reviews his code, he looks at his other points, so generally security flaws decrease a lot.
  • This will create the "Hawthorne effect”. This effect is named for a factory just south of Chicago, Illinois. Researchers measured the length of time it took workers to perform tasks while under observation. They discovered that people worked faster and more effectively than they did when they weren't observed by the researchers. A Developer will work harder and try to write the most possible secure code if he knows that a peer developer will review his code. This can give him some sort of challenge.

My problem is that I am working alone on this project. I have no peers, no one to review my code, no one to think with me or design with me.

2-I have no security guy:

I am not a security expert. This is my first time to read deeply about security and of course my first security practice will contain flaws. It is recommended in any project to have a security expert (either from inside the company or form outside).

The task of the security expert is to specify security rules and recommendations for the project, review design, review code, review working plan, give training for project team in security point related to their project, etc.

Of course I am not a security expert and I cannot hire one because of the budget of the project. The budget of this project is 0$!

But of course I am not going to ignore security as a feature of the project because of the above reasons. Security education can increase the level of security of the application. Of course it will not be prefect, but it will not be 0% secure.

You cannot make an application secure without knowing what makes an application secure. Remember the word “You don't know what you don't know". This word applies to security very much.

In a good experiment, one of Microsoft security experts asked two developers of his friends to review 1000 lines of C code for security flaws. The first found 10 flaws and the second found 16.He then gave them an intense one-hour presentation about coding mistakes that lead to security vulnerabilities and how to question assumptions about the data coming into the code. Then he asked them to review the code again. The first person found another 45 flaws, and the second person found 41. Incidentally, the security expert himself had spotted only 54 flaws in the code. So the first person, who found a total of 55 flaws, had found one new flaw, and the second person, with 57 total flaws, had found the same new flaw as the first person plus two others!

Security education of the team can increase the security level of the application dramatically. For this reason, During February and March of 2002, all normal feature work on Microsoft Windows stopped. Throughout this period, the entire development team turned its attention to improving the security of the next version of the product, Windows .NET Server 2003. The goal of the Windows Security Push, as it became known, was to educate the entire team about the latest secure coding techniques, to find design and code flaws, and to improve test code and documentation.

As a result for this, the security flaws of windows server 2003 and IIS 6 was extremely less than previous windows versions.

So I am not going to ignore security or stop reading about it to increase the security level of my application although I am sure my application will have many security flaws.


Post a Comment

<< Home