When the vulnerability is not the vulnerability itself
In an ideal world, all projects has good management. Projects needs strong decisions and a clear plan that make people able to build something; this is true for a bridge, an house and even for software.
If a software project is not managed is useless to check it for security issues. More than useless, it’s a complete waste of time.
Unfortunately for application security guys, we live in a world that is far away from being ideal…
Toxic tasks and proud of be drowning in
Not self confident people are used not to take actions. Take action bring itself the chance of failing. Not everyone can deal with failure. Failing can be read as you’re not able to do something. Serial entrepreneur do knows that failure is part of the game, but not all software project managers are serial entrepreneur and the no action comfort zone is something too much appealing if compared of the risk of a talk with the boss.
Sometimes big projects born (and immediately they die) in big meetings full of high level strategic consultancy guys trying to figure it out milestones to draw an appealing gantt diagram.
Microsoft Project (the misuse of), must be declared as dangerous than a mass destruction weapon.
Software starts with the urgency of being on market… well, now. Squadrons of poorly paid junior software developers are forced to build something in meaningless time and to achieve the idealistic release goal, no architectural design, no in deep technical analysis is done.
People must understand that release early, release often mantra can be followed only by people managing their project in a formal way, with documentation and clear vision. Unless that they will release just some noise in the Internet space.
Meetings and calls are the first causes of decease in software industry. I saw a lot of promising software projects dying for such a reason.
Poorly chosen project managers however are happy to deal with such nonsense activities becase they feel the very distracting sensation everything is ok and well managed.
A funny not too far away from reality story
Look at this scenario. I’m the project manager about an e-commerce portal but I don’t know anything about web technology nor than e-commerce. I’m the project manager because someone said I’ll be the project manager. If every week 20 or more people are in a room discussing the project and I delegate all technical and strategic decisions to them, I will think they are managing the project in a good way. They are a lot. They knows about software (or at least someone tell me this, I can’t prove myself they are good) of course my project it will be successful. First milestone is missed. Well, it’s not a problem I suppose, every week they will discuss about what’s going on and I see an updated gantt. Everything is still well managed, however I’m the boss so I’ll say developers must hurry up.
Second milestone is missed as well. We must cut some functionality. However I’m too overloaded to look into details, someone will tell me if it’s critical or not. Developers must be really quick know: I will say my outsourcer to use more people. (note that at this point the big outsourcing company will place a couple of junior developers without experience just to stay low with costs. Such developers know anything about the project and they must integrate with code they are not aware of it).
Ok, my boss told me we must go online next week. Next meeting I’ll say that to all of those people. I’m pretty sure none of them are able to manage a software project without my supervision. They are lucky I’m managing. No tests, we go online.
Ok, now you spot the code for security
“Oh security guys, they are so boring with their useless claims about the risks of being attacked. Who on hell will attack my book e-commerce, I’m not Amazon actually. However… I’ll say testing environment url to test in a sandboxed place.”
Testing in a non production environment is a clever choice. We can make any potentially intrusive check on data without dealing with production information. However, when we start the tests we notice that some links are broken and no all pages has the same css applied. It seems that testing portal is a melting pot of programming experiments without full e-commerce functionalities.
At this time, must of time we go to project manager (or we try to intercept him in the jungle of meetings he did everyday to manage a lot of critical software projects at the same time.) to ask details. Of course he said he knows nothing about technical details about testing environment, he said we can ask to consultant C1.
We ask consultant C1 that said us, another system integrator installed the software jars in test environment, so we must ask to AC1 and AC2 guys. You go to AC3 and AC4 guys (because AC1 and AC2 smart people are on another customer right now) and they say they do know nothing about missing functionalities or broken stylesheets. You must go back to C1 that is the lead of this topic.
You go back to C1 that now is full scheduled on other 2 or 3 projects so C2 will help you. C2 says that actually there is no real test environment because due to missing deadlines, they are in production without real tests.
Eventually you lost 2 days of tests just to figure it out the on place architecture that it is non documented, there is no clear people in charge of managing it and now you don’t know what to test.
Off by one
It’s a boring task but please, create and maintain a project plan. You must know what is online and the right version of every single software jar your team has developed. You, as a project manager must manage your project. You must understand technical details in order to drive decisions on your project.
If you’re scared about failing or about taking a bad decision sometime… well being a project manager is not the right job for you.