I’m presently at the tail end of another long international journey during which I did a talk for a security company titled “Shift Left: The Incredible Impact Early Security Testing Makes”. It’s a pretty self-explanatory title and it focused on the value of helping software developers identify bugs as close to the time of writing them as possible. That talk in conjunction with all the training I’ve been doing on this journey really got me thinking more about the whole industry and where the security spend goes.
SQL injection is a great example of what I’m talking about. During another talk on this trip, I showed snippets of a tutorial a kid on YouTube had recorded. He’s probably about 16 years old and with a somewhat quivering voice, he walks through how to use a Google dork to find vulnerable sites then promptly picks the first one in the results and uses free SQL injection software to suck all the data out. Amidst this demo, he demonstrates how to test whether the site is likely at risk by simply inserting an apostrophe into the query string value. If the application concatenates this into the query and executes it, the database throws an exception which then appears in the browser and you know the site is ripe for the picking.
Now in this case, the kid had absolutely no idea what he was doing. He didn’t understand the mechanics of SQL injection or even the basics of how a structured query language works (his insistence on pronouncing SQL as “squirrel” was a bit of a giveaway!) Yet here he was, mere minutes later with all of the data out of the system. We see this sort of thing all the time – the kid sentenced for the TalkTalk hack of 2015 used freely available SQL injection software to cause them £35m of damage (his punishment included having his iPhone taken off him).
But here’s the relevancy to investing in people: the software flaws these kids exploited boiled down to a few lines of code. These are lines of code the people building the systems may not have even known were vulnerable. One of the ways I demonstrate good versus bad code these days is to show a blog post someone recently wrote about how to build a password reset feature in ASP.NET. Here the author uses two SQL statements with the first one being secure (it’s properly parameterised), then in the same screen just a few lines down, uses an easily exploitable practice (he simply concatenates form data into the query). Same developer, same project, same function but code that could lead to the total exfiltration or destruction of the data.
“Shifting left” and helping the guy get it right the first time would have cost next to nothing. The good code was no more expensive to write than the bad code, he just had to be taught the difference. Investing in people and educating them appropriately pays off big time, not just now but for the many projects they’ll go on to build over the course of their careers. With the benefit of hindsight, TalkTalk would certainly look at education as having a very good ROI…