Software security is a big thing. You have to be aware of it from day one, and your code must be designed with security in mind. There are no coding details here. Instead, you are going to learn the mentality behind coding for security, and a lesson in human behaviour. And it starts with a story…
The ride up
It’s a typical morning to work. I arrived at the office lobby at 2nd floor. The 1st floor is actually the car park. We can discuss this architectural mystery some other time.
Sometimes, I’m alone, which was cool, because that meant I could take the lift all the way up to the 6th floor where I work. Otherwise, there would be people exiting at the 3rd, and the 4th, and the 5th, and ooohhh, finally, my floor.
Now there are 2 lifts. I timed it, and my experiments told me that squeezing into the 1st available lift to go up to the 6th floor where everyone was in, was slower than taking the next lift that I could take all the way up.
Anyway, on the rare occasion where I find myself caught in a full elevator, I noticed a peculiar behaviour. Now I’m not saying everyone’s like this. It’s just something that’s frequent enough that I took note of it.
First, I need you to visualise the inside of the lift. The doors, which open and close on both sides of the lift, is in the centre of the lift entrance. To either side of the lift are the lift floor buttons. Every single floor has its button, plus the obligatory open, close and “come help save me” alarm buttons.
“Tell me about the weird behaviour already!” you exclaim. Ok, ok…
Some people would stroll straight to the back of the lift, even though they’re the first in. I mean the nice thing to do would be to go to the button panel and hold the lift open while the rest of us are trooping in, right?
Now here’s the even more peculiar behaviour. Some people, even though they’re right next to the button panel, don’t lift their finger to hold the door open at all. Sure, there’s another person at the other panel too. Then that person exits the lift at 3rd floor. No finger lifting. And while people are exiting too, the lift doors close. I had to rush in and take over at the button panel in one instance.
The long walk to the security panel
There’s a reason why I just used a couple of hundred words describing my lift ride. Those very people who don’t lift their fingers to help hold the doors open? On the 6th floor, suddenly, they’re filled with gentlemanly virtue or immense courtesy, and their fingers flew up to press the “open” button. Why?
So that they weren’t the first ones out. Which meant they wouldn’t be the first one to reach the security panel. Which meant they wouldn’t have to whip out their security passes and authenticate themselves, and get the office doors open, and heaven forbid, let the rest of us in as well.
Let me give you a floor plan of the journey from the lift to the office security panel.
These people would hold the doors open and let everyone out of the lift. They’d stroll normally at the same (or preferably slower) speed than the other people. Someone had to open the office doors. This way, they’re the least likely to have to authenticate themselves.
I believe they are legitimate staff working in the office. I believe they have legitimate security passes for authentication. I also believe they’re basically nice people. So why do they behave in such a manner? My conclusion is that they’re plain lazy.
The authentication process is really quite simple. Sure, the security panel can be faulty, and the security pass doesn’t work sometimes. We have this ongoing joke where if your security pass doesn’t work, the company probably fired you. *smile*
But is taking out the security pass for authentication that bothersome?
“What if those people aren’t at the lift button panels?” you ask. “What if they’re stuck at the front of the lift? What then?”.
Aha, here’s the really ingenious part. Please refer to the office floor plan above. See that visitor couch to the left? They would stroll, ever so slowly towards the visitor couch (or the fire escape), letting whoever was behind them to overtake them and thus reach the security panel first.
And after someone else authenticated successfully, and the doors were unlocked, what do they do? They just waited for the authenticator to open the doors as well. During the authentication process, these ingrates couldn’t go to the doors and open them the moment it’s unlocked. They needed someone to authenticate, unlock the doors and open the doors for them too.
Most of the people working on my floor are developers. Except for the administrative staff (only 2), and the team leaders and managers, the rest are all working directly in software related roles. Programmers, systems analysts, consultants.
If these people can’t even be bothered to authenticate themselves at the office doors, what are they doing about software security in the programs they write? Do they implement security or do they just talk about it?