Thinking security: Hey, it worked!
This is the 37th blog in a series about security and how security is about how you think.
I remember watching a car restoration show in which the restorers took a classic but rusty car and did a complete upgrade. In the final scene they had the car put back together, dramatically turned the ignition on the new engine and the car sprang to life! Hey, it worked! The next shot was of the garage crew driving down the road into the sunset. End of show. (Of course, we never learn how many times they had to re-shoot portions of the episode before everything worked.)
But was it the end? Not really. With cars, there is always a need for maintenance and support. Some cars require very little maintenance, while some other ones seem to have lots of problems, both big and little, as we use them in our daily lives. The better cars (generally more expensive) usually are better designed and hold up better over time, while the less expensive ones (or cars from certain manufacturers) tend to have more issues.
What about computers? With computers and software development in general, our “Hey, it worked!” moment is when the prototype works for the first time. It may be during a sprint or hackfest that we finally see the fruits of our labor by exercising “the happy path”. But that’s not the end of the process. There are many steps between that first success and the final released product.
The business of car production is very different from the work on the car restoration show. Production cars go through many steps from design to prototype to production. At every step, trained engineers consider all possibilities so that the final car is not only ready at shipment, but also will run well over time with minimal support and maintenance. The engineers have thought of everything throughout the process.
Just as in car production, computer products follow a similar design and development process, usually called the software development lifecycle (SDL). Trained engineers take the software product through the many steps from requirements to design to prototype to production. At every step, they consider more than just the functional product they are putting together. They think about how the product will be used, how they should test, and how to ensure that the product authenticates all users, among other things.
Also, computer products are much more complicated than cars and have to be ready to deal with ever evolving threats. Did my computer product use a module of code with a known vulnerability? How do I know? How do I update it? The process becomes much more complicated because of this fact. Now, even cars have vulnerabilities too.
But we don’t stop at “Hey it worked!” with computer software either. We go further with this software development lifecycle and process. The next level is “Hey, it doesn’t fail”. This level of assurance comes with a more robust process in which all edge cases are tested, and the system has run for many, many hours without any type of problem. It’s something that you can take for granted with ClearPath Forward® systems, which measure uptime in years rather than days. This level of stability comes from the way that the developers have thought through the design of every release of every product and conducted added checks and monitoring so that they caught and fixed any potential failures (usually outside of the “happy path”).
The holy grail of software development is “Hey, it’s secure”. This comes with an even more robust software development process. We know everything that is in the product and where it came from. We know that it is free from any vulnerabilities and we continually test and update to keep it that way.
While “Hey, it’s secure” is the result of the software development process, it’s also about how everyone thinks – from product owners to architects, from developers to testers. They know that the goal is “Hey, it’s secure” and not “Hey, it works”. It comes down to what they know and how they THINK about security and software development and put this knowledge to use every day.