Cigital is in the business of making software secure, often by telling our clients precisely how and why their software is not secure. There are an almost infinite number of ways to be vulnerable so it should be no surprise that we rarely find the perfect system. I’m tempted to say never, but I’d have to check around on that. We have a saying in the office that the only truly secure system is one that is buried underground with no wires in or out and no users.

Some of our clients, though, are shocked and more than a little annoyed when our assessment is critical. A top level manager may express gratitude when we confirm his gut feeling, but the middle manager with direct responsibility for the system is often embarrassed and defensive, and the guys in the trenches are downright pissed. That’s too bad. We aren’t top level managers. We are trench warriors ourselves. We truly appreciate how very difficult it is to write excellent code—code that does what it is supposed to do, code that works fast, code that works reliably in a production environment, code that is maintainable and code that is secure.

I once lead a development team that produced some code that managed some highly visible and regulated financial transactions. The code had to be 100% free of errors as there were many critics with deep pockets, political connections, and dozens of lawyers who wanted it to fail. The client wisely hired an independent (end excellent) team to perform extensive IV&V at the test level and the code level. The team showed up in my office where I gave them all the documentation, all of the test results and test code, and unfettered access to my pre-production staging area. I figured they were just code shmoes like me, just doing their job, so I tried to be nice. Their attitude though was that of an IRS auditor on the trail of a bootlegger. One day I walked in and gave them a couple of boxes of Girl Scout cookies from my troop (Thin Mints, I believe). They turned down the cookies and told me that it was completely inappropriate of me to offer them anything of that sort. I lost it. I screamed “They’re not bribes, they’re goddamned cookies. Eat the ——- cookies!” They were so shocked they all instantly grabbed one and ate it very quickly. It was hilarious, and we eventually had a laugh over it.

At Cigital we don’t want to be like those fellows. We love smart coders—they are our kind of guys. Let the guys in sales play golf with the bosses. We would rather drink beer (or Mountain Dew) with the folks on the midnight pizza shift. At root though, we do review other peoples’ work, and sometimes the auditor mentality takes over. One of the best guys at Cigital recently took on an audit gig. He told his manager that he wanted to keep the report secret until the end of the project, so he could produce a bug-rich audit report. I suppose the idea was to show how smart he is and we are. His sage manager told him to cut it out and share the findings as they emerged. The result was that we produced a long bug list, but noted in the final report that almost everything had already been addressed. That’s a good outcome for our client and a good one for us—we got another gig.

Writing good code is real hard, and the smart guys who do it are the heroes of our business. We love you guys, but we sometimes do have tell your that your baby is ugly and we’ll go beyond that to describe every deformity, wart and blemish in lurid detail. Understand, though, that we, like you, want that ugly baby to grown up into a runway model.

Technorati Tags: governance, regulation, software security

This entry was posted on Monday, March 12th, 2007 at 3:36 pm and is filed under Governance and Regulation. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.