I'm not Michael Howard. My software development background consisted of struggling through my two C++ classes in my undergraduate MIS program. Sure, I managed to convince my professors that I knew what a virtual function was and how it all worked, but I never really felt the "Call of the Code" like Michael, Bill Steele, or Joe Stagner did. These guys are superheroes. So you can imagine my surprise when I was approached by the HelloSecureWorld.com team, to do a video for their website. Was this a cruel joke? Was I going to have to relive the pain of seeing another "Error Compiling Source" message again? Would I be forced to end my statements with a semi-colon?
Fortunately for the world, I was simply asked to pontificate on my thoughts around the importance of writing secure code. I can absolutely attest that as vendors continue to harden both operating systems and applications, the new attack points are going to be those "custom" applications that are being written inside your organizations. Most of you have heard some Microsoft AppDev security guru talk about the Microsoft Secure Development Life Cycle (SDLC) and how we implement this internally. The proof is in the pudding! Compare the number of vulnerabilities in Windows XP after 1 year to those of Windows Vista. Compare Windows 2000 to Windows Server 2008. Compare any application server to SQL Server 2005. SDLC works! But what about your developers? Are they following a strict SDLC themselves, or is security merely "sprinkled in" with a quick username/password option at the very end of the development project? Hear me loud and clear: Security needs to be baked in at every step of the process! If it's not, bad things will eventually happen.
......but I digress.....when the HelloSecureWorld.com folks approached me, I told them I'd do the video....but only if I could do it THRU THE EYES OF JOE, THE IT PRO!!!
Who's the guy who gets the call when the code craters the messaging server? You do!
Who's the guy who's got to call his wife because he's gonna miss dinner AGAIN? You!
Who gets to miss the kid's pee-wee football games because a SQL Injection attack just ported all your company's PII out to the Internet? YOU!
So please.....take a moment and check out this insightful video that (hopefully) captures the pain you experience when your devs write non-secure code. As painful as it is, watch the WHOLE video...to the end.