Securing a software company - Part I

Posted by user on 21 May 2009

I was working on a typical "airport-security-I-know-better-post", then I realized that Bruce Schneier already said all of these things better than me.

Today I'm going to tell you about a very important thing for software companies: confidentiality and security. This is not going to be about firewalls, antivirus, filters and the like because, guess what, all these things are secondary.

Security, as a whole, is two sided. Designing a safe structure is not only a question of network topology and data encryption but also a question of policies, psychology and sociology. This is a vast topic and it will keep me busy for several posts. In this one, we'll see how you can build a security spirit in your company, starting with new recruits.

Lead by example

Go before the people with your example, and be laborious in their affairs.-Confucius

If you want people in your company to be scrupulous, you need to be scrupulous. If you want them to care about security, you need to care about security. Respect the rules you create and don't allow yourself exceptions "because I'm the boss and it's more convenient for me and where the hell is my coffee". This would be an extremely bad thing to do and would convey the messages that rules are just a tool of power, not a tool of efficiency.

If you really think a rule is inconvenient, change it for everybody, not just for you.

For a small company, being security conscious from the outset will do most of the work. Everything will flow from it. If you're landing in a bigger structure in need for a change, some of this material may help you, but your task is much more complicated.

What does "being security conscious" mean?

That means being aware that security issues are everywhere without becoming paranoid. A structure compulsively obsessed with security will end up doing nothing, crawl to a corner and agonize. I suppose this is not what you're looking for.

I'm being very general here and you probably think all of this is not very helpful. Let's be practical. Let's put you in charge of, say, a small software company.

Setting the context

The first thing is to make the new recruits aware at what we do, security-wise.

You're going to take all the required time to explain why confidentiality is important for the company and its customers. Your clients are very sensitive about security and discretion and you'll explain that whatever the employee may see and learn when he works on the project is not to be talked about. You'll also tell her that she cannot know if what she sees is confidential or not, therefore she must assume it is confidential.

Some of the technology you work on helps you keeping an edge. Everybody must do everything possible to make sure the trade secrets remain trade secrets.

Don't think that working on open source software, if this is the case for you, means you shouldn't care. Your strategy, amongst other things, needs to remain confidential. What you intend to do with the software is confidential. When you play chess you generally don't tell your opponent what your next moves are going to be.

All of this is actually not difficult to pass on, as any seasoned professional should be used to it.

This whole explanation must at no moment be patronizing or pompous. Give concrete examples of companies victim of industrial espionage and how fast information can fly.

People interested in what you do are never far from you. A friend of a friend of a friend of... That's it! That guy works for a competitor of a client and would surely love to know that "the software's infrastructure is in a bad shape and it's going to take a lot of time to catch up".

It's nothing dramatic. Just small bits of information one thought harmless end up having bad consequences. Nobody's going to die, but that's not good for the business. When preventing this is just a question of not saying anything, I think it's a pretty decent price to pay. Don't you think?

Time for a little anecdote

Last year, I was in the TGV between München and Paris and my neighbor was an employee of a famous German industrial company. Suffice is to say that you probably bought or used some of their products in your life. He was looking at my laptop as I was programming and asked what kind of company I was working for.

I told him about Bureau 14, what we do and how great we are (you bet!). Then he told me "I prefer to avoid working on the train, because you never know who the person next to you is and what he does for a living".

You know what I told to myself? I told to myself that this person was committed to his company's trade secrets, and that it probably meant that it was a good company, a company where people were well treated. A lot of positive images came to me and my opinion about them improved (not to say I had a negative image of them in the first place).

Now let's flip the coin and hear a very different story.

It was a while ago, when I was still working at the ministry of defense as a lead security engineer. Since I was working on classified projects, I couldn't speak about what I was doing. Frustrating at first, but I quickly got used to it.

A friend of mine, working for a famous French car maker, was teasing me about it. "Come on, it's never so secret! Who cares?" And then he went on and on, giving me very specific examples of what he was doing and how much he didn't care about respecting the company's confidentiality. I thought this was pretty lame. We were in a café and most of the people around us could hear the conversation.

I know it really gave me a bad impression of the manufacturer. It sounded unprofessional, messy, negative. When your employees stop caring about the company, it's a pretty good sign something is very wrong.

There's more to security than just security.

Explaining how you work

At the end of the little speech, the new recruit should have a vivid picture in what context we work. Make sure that if the person has got questions or remarks, she shares them with you. It's very important to listen and to let the person speak. This must be a dialog, not a sermon.

The picture drawn, explain briefly how you changed our way of working to accommodate our security needs. Note that I didn't say "dictate the rules to the lower form of life squatting the office".

The goal is to have the person committed. At no moment you should be interested in someone blindly following rules out of fear. Recruit clever people and have them to use their brain. You want them to assess whatever situation they are in, because guess what, that's where added value comes from.

But how should you actually work?

I'll describe sensible (sort of) security measures in a future post. In this post, I'm going to stick to the human side and how to introduce security to new people.

One thing to be very explicit about is that every person is a link in the chain in the security. If anyone has got a remark, suggestion or critic about how work's done (this is actually not limited to the security process of course), you want him to speak!

Aim at the "no stupid rule". Security should never get in the way of doing business. It's a good opportunity to explain that whatever process you have can certainly be improved. I know this is going to result in a lot of talks and explanations at the beginning, with new recruits questioning everything you do, but in the long run I see major benefits:

  1. Obsolete procedures will die out
  2. Suboptimal processes will be improved
  3. Rules will be better understood, accepted and enforced
  4. Over-conservative people will leave the company

The day you will hear someone in a corridor saying to a newbie "I don't know why we do it, but we always did it like that, so please shut up and follow the procedure", get ready to launch a meteor swarm.

The other thing you want to avoid is people feeling security is just there to annoy them, because generally they will take every opportunity they have to bypass it. On the other hand, if they believe in it and think it matters, you won't have to waste time playing the police officer.

Writing things down

Everything being explained, it's time to trigger commitment. When you are forced to do a thing, you are less likely to do it to the best of your abilities. In addition forcing people to do things is really not the kind of atmosphere you want to have in a creative company.

One great thing you can do, is to have the speech before the person signed the contract. She will not feel you're trying to force her, as she's not a member of the company yet.

When you're finished, have the contract ready as well as a paper in the spirit of "I will do whatever within my power to help the company improve its efficiency, confidentiality and security. I also understand that I must not bypass or help bypass any security feature implemented by the system administrators". Probably something better phrased, but you get the idea.

That's so much better than sending the contract over the mail, have the person sign it and return it. Granted, sometimes you cannot do otherwise, but a little ceremony for someone starting at a new company is both helpful and nice.

Ask something like "Now you know how we work and how dedicated we are. Do you want to work for us?". The person will probably say yes, unless you really were boring to tears and talked her down like a little child. And guess what, this liberty will greatly improve the odds of having a committed person, provided that you have an environment to sustain that commitment.

After all, she was free to say no. If she said yes, she'll try to be consistent with this and that means upholding confidentiality, security and the overall company's wellness.

Are we being manipulative? Yes, a little. But a more classic and authoritative approach will yield inferior results as well as being potentially rude with the people you work with on their first day. Believe me, first impressions last.

The paper signed, you can share a drink of friendship with her and some key members of your staff and why not offer a little welcome gift. After a potentially grim speech in the vein of "they're out there trying to get us, by the way survival training starts tomorrow", that ought to be a good idea.

Do I need a specific document related to security in addition to the contract?

Not from a legal point of view, unless you work with military structure requiring a specific clearance for your people. Confidentiality and trade secrets are protected by law. Not only can you fire at will, but you can sue at will. Hope you like the smell of napalm in the morning.

However, I personally think it's nice to have things written down. I mean things like basic usage of the facilities and especially the company's networks and computers. Even if it's obvious. No you can't watch pr0n at work. No you can't turn one of our servers into a warez top site. No it's not ok to post the source code to sourceforge. Gentlemen's agreements are nice, written agreements are better.

And if the worst happen, it'll make the lawsuit even easier to win.

What now?

You have a new committed and dedicate employee. Or someone running away from your office screaming. Now, what you want to do is to maintain that spirit in your company. It must be both positive and efficient. And you want your company to be introspective about how it works. And you want people work efficiently.

All these things and the secret of well cooked rice will be unveiled in a future post...

Topics: Security, network, social engineering, Uncategorized