A friend sent me an email last week that he wrote to the Security guy at his company and to his boss. It was in reference to a conversation thread between himself and one of the web developers at his company. He gave me permission to use his story.

They had made some changes to one of the web servers and needed them tested. My friend sent an email to the web dev and a few others in the applications department asking them to take it through it’s paces to ensure that it worked as it should. A little while later he gets a frantic email from the web dev saying that everything worked as it should except one thing. She was testing an module within the application that opens a .pdf for viewing. She said that when she tried it that she got an error saying that the system couldn’t find Adobe Reader and that it needed to be reinstalled. In her mind the changes had corrupted Adobe Reader and so the server guy needed to fix it. He called her and started asking questions and discovered that she was testing the app from the server and not from a client system. He then told her that she needed to test it remotely and that Adobe Reader didn’t need to be, nor should it be, installed on the web server.

As I read his email and later talked to him about it I thought about how this is a classic example of people not understanding how things work outside their stated job responsibilities and how that affects the security of an organization. Her job was to write web code and that’s what she does. Her job isn’t to be a server admin or, apparently, to understand how the web code works in conjunction with other systems. This type of problem is far too familiar to many of us. I once worked with a web dev who didn’t have a clue how to install, deploy or manage a web server. He didn’t have to know how to do that and therefore he didn’t.

Now you could argue that his job was to code and you would be right. I would argue that you can’t properly code and surely not securely code if you don’t understand the interactions between all the aspects of systems and applications. You don’t have to be an expert web server admin to be a good coder but you need to understand the basics. This is especially true when you start talking about writing secure code. If the Web Dev had understood the risk of putting Adobe Reader on a internet facing web server then she would have known what was wrong as soon as she got the error message and realized that she needed to test from a remote system.

Security is the responsibility of everyone within an organization not just the Security Team or IT. That is why it’s important that we educate users on security issues. That’s why it’s important that we show the face of security as being willing and able to work with the end-user and not against them. We have to get beyond the “no” mentality and be seen as enablers. We have to remember that Information Security exists to serve the interest of the business. Just as those outside the Information Security world need to understand how and why to act in a secure manner those of us in that world must understand the business. We can’t properly secure what we don’t understand.

Good coding requires an understanding of the systems your code is interfacing with. Good Security requires an understanding of the needs of the business and the end-user.