“Anything you do to make your development life easier can make a hacker’s life easier too”
In the emerging world of DevOps and the cloud, most developers are trying to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resiliency and scaling to an application. Still, one critical item consistently overlooked is security. We talked to JAX London speaker Steve Poole about what can be done to keep your system secure and what happens when you leave the door open.
In this interview Steve Poole, Software Engineer at IBM and JAX London speaker, shares his experiences as he’s moved into the world of DevOps and reveals the lessons he learned as a developer moving into the cloud and learning why doing more than playing lip service to security is critical.
JAXenter: Your JAX London session is called Defending against the dark arts of CyberCriminals. How can we protect ourselves from them?
Steve Poole: Primarily by being better informed about security and cybercrime. It’s the lack of knowledge that makes us so vulnerable. Cybercrime is mostly invisible until it is too late so having an understanding of how you are at risk is essential. We all understand about security in the physical world. We secure valuables when we leave them. We certainly don’t leave items around if they could be stolen. Protection comes from us learning that we need to apply the same thinking to the computer world.
JAXenter: From your personal experience, do people take security seriously?
Steve Poole: Taking security seriously and being secure are two different things. So we know that all businesses take security seriously. Translating that seriousness into personal action and behavior is where it can go adrift. Quite simply most people do not believe that they are at risk. This is mostly due to a combination of a lack of knowledge about how systems can be compromised, misconceptions about what hackers target and how persistent and capable hackers can be.
JAXenter: How can you inadvertently leave the door open?
Steve Poole: As a developer the most likely thing that happens is that security is weakened in the name of diagnosis or ease of development. Anything you do to make your development life easier can make a hacker’s life easier too. Examples include turning off certificate checking or adding special access passwords or APIs.
The classic example for Java developers is where a server has a self-signed certificate and cannot be accessed by the system. The right way is to get the server to use a trusted certificate or if not possible, get the self-signed certificate added to the trust store. Unfortunately a more common way to ‘solve’ this problem is to implement a local javax.net.ssl.TrustManager that will accept the certificate. This is unfortunate because most often the developer actually writes a bespoke trust manager that accepts any certificate. So now the whole point of the security model here is bypassed.
Taking security seriously and being secure are two different things.
The other general inadvertent error that we make is not to read the manual for the important tools we use. Comments such as “I thought I was using the tool correctly”, “I didn’t realize what the default setting was” or “I trusted the tool to do the right thing” can be commonly heard after an attack.
JAXenter: What can you do to keep your system secure?
Steve Poole: Start by becoming more informed. There is a wealth of information available about how to secure your systems, the ways that you are at risk etc. Then start to apply this knowledge to your systems and applications. Also learn more about the non technical aspects of the hackers – how they operate, what motivates them, how they are organized etc. The more you can understand what you are up against the better.
JAXenter: Why should people come to your session?
Steve Poole: This talk comes from my experiences as I’ve moved into the world of DevOps. I’m not a security expert – this talk is about what I’ve learnt as a developer moving into the cloud and learning why doing more than playing lip service to security is critical.
As a developer the most likely thing that happens is that security is weakened in the name of diagnosis or ease of development.
The talk is not about application design. This talk is about the bad guys, what they want , how they get it and what we can do as developers to combat their actions. This talk is intended to open your eyes to the scale of the challenge. It will show you simple examples of how often we blindly trust people, technology or services and how that makes us vulnerable.
There is no magic wand but a little knowledge can make all the difference.
Thank you very much!