It’s a mess out there. OpenSSL was compromised. The U.S. government is in your database. Cats and dogs living together; mass hysteria! But there is a solution. You, as a software development manager, hold the keys to making sure your software is secure. You hold the keys to making sure your infrastructure is secure. You hold the keys to the kingdom for all of your corporate security needs.
But first, you have to let go of your schedule.
Perhaps the most important thing you can do to improve software security is give your developers the time they need to make their code secure. Instead of letting marketing drive features, you need to let the developers drive their own features sometimes, particularly if they’ve been complaining and pointing at a fire in the code during meetings.
But there’s more you can do outside of training your developers and giving them the time to fix security risks. You can also turn their attention on the rest of your infrastructure. Now, we know what you’re thinking: Our Ops guys are in charge of Apache, of the firewalls, of the OpenSSL and certificate machines. But behind each of those machines is open-source software. That means your team can actually do its own security audits and fixes internally, if you have the time and inclination to do so.
In this issue’s special report on security, you can read about one team that even recompiled OpenSSL itself, removing all the functionality they don’t use before recompiling. When Heartbleed went public, they were invulnerable because they’d removed all of the UDP-related portions of their OpenSSL implementation.
And you can do this too! It’s not easy, it takes time and developers, but if you can go in and rip out all the parts of Apache Web Server that you don’t need and still allow the app to compile, you’re probably not going to be vulnerable to the next big Apache bug. Like earthquakes, we’re due for one in a couple years, after all.
Security should be Job No. 1 when writing business software. Nothing can get you fired quicker than losing that database of credit card numbers, or opening your customers to some other form of digital nastiness. Therefore, it’s incumbent upon you and your teams that you make security Job No. 1.