Bryan Owen

"Gentlemen, Start Your Engines!"

Blog Post created by Bryan Owen on Jun 2, 2010

Considered by many as the first holiday of summer, Memorial Day ushers in an unofficial season of starts. "Gentlemen, start your engines!" is a quote made famous at the Indianapolis 500 and is fitting of the season.


The season is full of ceremony and commencement speeches that often mark the start of new careers. I still recall my engineering professor exclaiming our job is to get you revved up for industry (he probably wrote his speech during the race).  


That was a long time ago but so true. The new faces we welcome at OSIsoft are indeed eager to make a difference. A fellow PI gray beard remarked in wonderment about all the skill specialties. In the early days, engineers had to do it all. A break out box, data scope and ascii tables were needed for any hope of debugging an interface. We would use a drill to install 10base5 thicknet taps. The joke was that real engineers program in Fortran no matter what compiler was available!


Like most professions, body of knowledge and experience has dramatically expanded. Specialization is in essence a practical necessity in the technology world. Good engineers must still be solidly grounded in fundamentals such as security.


But here's the catch 22, security used to be a specialty.  How do we ensure everyone understands their role in security? Well, the Microsoft SDL Developer Starter Kit has an app for that. 


The starter kit is level 100 with no prerequisites and is must know material for any professional developer. The kit is organized by specialty and provides content in many formats. You can read word documents or maybe you want to ‘cut to the chase' by clicking through a Powerpoint presentation. Perhaps multimedia is more your style. If you want to prove mastery of the basics, some modules even have a test quiz. It's all available on the download site.


Specialty topics include:

  • Banned APIs
  • Buffer Overflows
  • Code Analysis
  • Compiler Defenses
  • Cross-Site Scripting
  • Fuzz Testing
  • Secure Design Principles
  • Secure Implementation Principles
  • Secure Verification Principles
  • Security Code Review
  • Source Code Annotation Language
  • SQL Injection
  • Threat Modeling Principles
  • Threat Modeling Tool Principles

I often get the question: "What's the most important thing we should be doing for security"?  Like so many things the answer depends where you are in a product lifecycle. Absent the pressure of impending doom or incident response, addressing security as early as possible is the favored approach.


To do so effectively, engineers must know what is expected to practice security as part of their profession. A software architect will have different needs than a QA engineer. Implementation and security tools vary depending on the type of project. Threat modeling doesn't actually improve security until the threats are mitigated but as a standard method the model is essential in prioritizing security tasks.


In other words education is the key. Is level 100 SDL training adequate to build applications serving critical infrastructure? No, it's just a good start. Product managers, security development leads, and other gray beards carry the essential burden in building a trustworthy product.  So gentlemen: Start your engines!