A Letter to Cybersecurity from an Application Developer
Dear Cybersecurity,
I don't get you. I thought we were going to be good friends instead, you hang out with all my other friends. You've changed, I don't recognize you anymore. I know we haven't always run in the same circles, but we've always kept in touch.
I first got to know you when I started down the path of application development in college designing Access databases and simple HTML although it seemed like you spent more time with the hardware and networking students than us programmers. In the beginning, you shared stories on SQL injection, viruses, and friendly malware that told you ILOVEYOU. As an end-user, the tools you provided to prevent and resolve any issues were quick and mostly straightforward. Install some anti-virus, add a firewall and then get back to creating a giant page of animated dancing hamsters. Those were the good days, no worries except whether the song downloads we started on Napster and LimeWire last night would be finished in the morning.
After graduation we went our separate ways, I joined my first job and started dipping my toes in the corporate intranet web design. I reached out to you to pick your brain on securing an internal website and you gave good advice on SSL, how my password should be eight characters mixed with numbers, and with password encryption, although admittedly I struggled with the idea that salting a password had nothing to do with food seasoning. Things were good for a couple of years, then the dotcom bust happened which sent me to the unemployment line and we no longer had anything to talk about and we lost touch.
After a few years of silence, I re-entered the workforce administering an Enterprise Resource Planning (ERP) system, it came with built-in security mechanisms so I never tried to call you. I did follow some of your exploits, like your campaign to prevent all those Nigerian princes that were constantly phishing for some investors to share in their great fortune.
Four years later I found myself back at Purdue except this time I was getting paid instead of paying them, oh and developing my own home-grown ERP system. Once again I sought out your knowledge and you freely shared how FTP and email continue to be attack vectors, SQL injection is still a thing, and old versions of operating systems are bad. Nothing got my stress levels up and our conversations were cordial and coherent. Oh and now my passwords needed to be randomly generated and twenty-four characters long.
Then something happened. You changed your hair, your clothes, and the way you speak. You started throwing lingo at me like DoS, DDoS, MitM, APT, SOC, IoT, and pen-test. Inundating me with senseless acronyms and techno-jargon. Every time we talk, I have to nod my head like I comprehend what you are saying, but really I am keeping a mental list of all the words that I have to look up later. You've gotten real chummy with my co-workers and friends, so much that they have started talking like you. They regal me with all the fun, interesting quips you share with them, and I can't help but feel left out in the cold firewalled from the cool kids club. Even the topics that I know have changed, applications are now in the cloud with their own development and security requirements that require a twenty-volume instruction manual to understand. You force every third-party library that I use in my applications to need to be patched weekly. I spend so much time planning upgrades that I have no time to actually create anything. I have to be in a constant state of cyber readiness just waiting on the next shoe to drop. To top it all off now you tell me every login has to have its own unique password that I have to change every thirty days, can never be reused ever, will inevitably be hacked anyway, and completing any login requires multi-factors and six devices.
I guess as we grow up things change and people grow apart, however, I'm not ready to give up on us. I'm not going anywhere and I suspect neither are you. I'm going to try to understand why you are the way you are by attending some courses we offer right here at cyberTAP. I've also been told that something called a security risk assessment can help shed light on your faults.
I hope this letter finds you well and that we can re-establish our friendship.
Your friend in all things cyber,
Mike
P.S. Can you please stop it with all the acronyms. Say what you mean to say. We're all grown-ups here, use your words.