Persuading colleagues to write code in a secure manner

[jrbarnett]

Recent events at work have persuaded me to look at the security of some of our in house written systems and do a lot of rewriting and implementing far more rigid security within them and removing excess permissions.

With the need to write and debug new systems at present, I've been trying to persuade my colleague to write any new code in a secure manner and to lock down the application interface to prevent access to the immediate window in Access/Excel.
Also, if accounts need to be set up or access permissions altered on the database servers, set it so that it only has the permissions where needed for the application to run properly.

I've put a page up on the MIS section of our intranet on best practise for designing software and writing code in a secure manner with a load of relevant links and got a "That's good and really helpful" after pointing her at it, followed 10 minutes later asking for comments on a system she had written.
Within under 5 minutes of poking around, I discovered a hole so huge an elephant could fall down it.

I'm not aware of any actual breaches of security within the systems in my own remit, but of course there's always the possibility they've not been reported and its better to be safe than sorry.

The data involved are a mix of personnel/payroll and training, student and financial information.
The applications used are a mix of custom reporting systems piggyback onto commercial apps and others are entirely in house systems.

My manager (who is also hers) is not technical in an IT sense, so doesn't really understand what can be done with the existing systems if such flaws were discovered or utilised.
I have no authority over this colleague, we are at the same level within the organisational chart but she does come to ask me advice from time to time, which case I do try and steer her in a more secure solution to a problem, even if it is more complex to implement than the obvious easier one.

We've got books about our database server platforms and VBA references, but they tend not to get read much (mostly by me to brush up on something).

How can I persuade my current colleague and manager to take system and application security seriously and to use and implement it within their work?
I'm sure I can't be the only one has this sort of problem.

John

 

[Ed2020]

John,

I'm not sure which part of the world you're in but if it's the UK I'd start by showing them a few key parts of the Data Protection Act.

The example you've quoted would definitely fall under this law's umbrella. Even your non-technical people should grasp the importance of complying with legislation that has no upper limit on compensation payments should certain information fall into the wrong hands!

Ed Metcalfe.

Please do not feed the trolls.....

 

[damber]

Education....

My manager (who is also hers) is not technical in an IT sense, so doesn't really understand what can be done with the existing systems if such flaws were discovered or utilised.

Bring in an external security auditor for a few days to 'poke around' and present a report on what they could get hold of... that will open a few eyes as to 'what' can be done.

Then value this loss, both as per Ed's post on the Data Protection Act as well as cost of recovery by your company. The contractor you hire may do this for you, so ask them.

followed 10 minutes later asking for comments on a system she had written.
Within under 5 minutes of poking around, I discovered a hole so huge an elephant could fall down it.

One thing to consider is your colleagues (and even your own) ability to securely build an application - although you may have a good knowledge of what could be a security risk, your colleague may not... so it may not be a case of convincing your colleague (seems she's already trying to do the right thing), but more a case of education and training. Maybe propose a course for everyone to go on at your next team meeting ? You may even learn something new yourself.

So.. it might not be a case of 'convincing' them, it may be more of a case of 'educating' them how to make it happen, which is something a training course will help achieve.

Start by demonstrating the risk with current systems (useful whether people are convinced or not, or educated or not), then move onto educating everyone on how to resolve and most importantly 'prevent' these issues.

Hope that helps,

A smile is worth a thousand kind words. So smile, it's easy!

 

[jrbarnett]

I am UK based, so am subject to the Data Protection Act. The recent events include an announcement to IT people that an IT security auditor and penetration tester will be performing tests next year so am trying to close the holes I know exist before they come in.

My job spec specifically mentions maintaining security of the MIS servers and applications that run on and connect to them, but I don't know about hers. I think I'll finish fixing the holes I know about then carry on with the new stuff.
When I started this job back at the start of this year, many of the servers weren't even patched to the latest service pack, let alone the last month's Windows updates so I've got a long way to go.

I'll raise the security flaws I've found at our next team meeting and ask my boss what he thinks should be done and take it from there.

John

 

[wmichael]

John,

Interestingly enough, I just read a great survey completed by PWC that speaks to computer crime/fraudelant activity in the UK. Data shows that occurrances are up 8000% in the last two years. I do not know what your exposure is, but the surest way to land on the front page of any news paper is to have a security breach that affects customer data.

It seems like the climate in the UK is fairly lax, but there has been quite a bit of eyes peeking at the regulatory environment lately and looking to shore up companies who handle sensitive data (which yours does).

If you have not been compromised yet, you likely will in the future.

If you have not been examined yet by a third party, you likely will be in the near future.

It will certainly provide an overall benefit to your company in the long-term to make security part of your implementation processes. Compromises are costly in terms of hard dollars and reputation. Poor exam results are the same.

Build an internal case for security slowly and with concrete data. Document your activities.

Also, you may be able to work something in to the QA cycle of your software development projects. Using tools like WebInspect will provide you with a means by which you can expose security flaws (some, but not all) and report on them with confidence.

Best of luck to you!


~wmichael

"small change can often be found under seat cushions

 

[Lunatic]

I don't know if its relevent in the UK, but for at least the US you could show the expense (projected) of credit monitoring for everyone in the database should your system be compromised.

That type of cost into forever could open some eyes...

***************************************
Have a problem with my spelling or grammar? Please refer all complaints to my English teacher:
Ralphy "Me fail English? That's unpossible." Wiggum