The Average Developer and Cybersecurity

Once upon a time, I wrote an article called "What Coders Really Want."

I was blown away by the number of people who actually related to what I was writing about. Long story short, I got a very interesting comment from a reader who goes by the name Richard Smith.

Let me just quote him real quick:

Based on your experience, could you write something up on developers and security. Security, today, is unavoidable for complex valuable systems. It also makes it hard to explore and learn when one is new and really slows things for the experienced. Security is a broad subject and I would be interested in anything you write, any take on it. I work in vast monetary systems, which more and more are need to know only access. The auditors locking it down don't know who needs to know for the most part, but beyond that, how does one innovate in areas that are no longer visible? - Richard Smith on 2019-01-10

This was back in January 2019. After reading his comment, I promised an answer. I had time to think it through, spark some discussion, and share war stories with my ex-colleagues over his points in order to see if what I think is right. Indeed, the topic is broad, so I chose to write about the cognitive aspects and the company side of it.

You Know, the Stuff ALL of Us Do (Not Do)

I can tell you this: Cybersecurity is one of my nightmares. If it isn't yours, well, it should be. On the other hand, I think we can all take it easy, as there is very little you can do to ensure your safety.

Cybersecurity Is Like a Disease.

A cyber threat seems like a mysterious, stealthy killer who lurks in the shadows. Like the plague or cancer. And one might think that as long as you are not a chain-smoker, clinically obese, or drink 7+ units of alcohol per day, you will never get sick. Well, that is not so scientific, but I think most laymen felt relief after reading my last two lines.

The Problem With the Last Paragraph Is That It Is Not True

Cyber threats are a very wide topic. In fact, for most people I know, it is too wide. Wide? Try 3D. And there are a great number of distractions out there that stop us from being "smart." when it comes to cybersecurity.

Based on my own personal experience, the average developer is not heavily tasked nor intensively and actively involved in creating the commercial plan for their own code. But here, I have a little fun fact: Developers have been overheard more than once joking/complaining about how commercial folks try to use them to "fix their business strategy by making up their own solutions in the code."

That is actually a super relevant point. You, commercial people, should not do such a thing. But as we all know, that is just not how the cookie crumbles, most of the time. In summary, we have a world of distractions around the code.

I am glad Richard also mentioned another issue: the "need to know only access," or as I call it: compartmentalization.

Remember This

Compartmentalization is the one thing that I believe actually works in security where developers are involved. Cybersecurity, on the individual level, such as breaking up a bank account and so on, is largely a predictive game. Not too hard for the average hacker.

Funny? So. You. Think.

Why compartmentalization? Cybercrime has a great number of motives. Direct financial gain is only one of them. Most people underestimate themselves on the global networking map. This "map" is really a more clever way of describing the "six degrees of separation" theory. You might be profiled and monitored over the years, or your laptop might be part of a "sleeper network" or worm. This network might execute an action or false communication directly, or indirectly, on behalf of a party who wishes to gain something from someone else —in your network, posing as you, recommending you vote for Brexit, whatever.

Is this possible? Why not?

We build commercial logics based on known and ethical cognitive biases on a daily basis for hundreds of millions of people (psst, it is called marketing).

Conclusion

Developers, I know, are pre-occupied with cybersecurity, and the fear for them is very real. So, we are all trying our best. We must combine common sense with the best practices. I think that is the best you can do.

And lastly.

"How can one innovate?" asks Richard so justly.

My answer is simple: People only do things they must If you are an innovator, you cannot suppress the urge and creativity inside you. You will find a way to innovate or move on to a place where you will be enabled and empowered to do so.

Fact: I have deleted all my data from Facebook after 11 years. This I have done due to a number of unsettling events that happened to me and my data. I strongly urge everyone reading this article to consider their online identity's worth and measure it against the threats out there.

One Last Anecdote and I Am Done...

Back in 2013, I was standing in line waiting to vote on Election Day when an unidentified number called me on my cellphone. I always answer those.

Before I managed to say anything, a voice stated that she was calling from my bank's cybersec division, and after a quick ID check, she asked me hurriedly if I was:

RIGHT NOW, IN PHILADELPHIA, TRYING TO CHECK INTO A MOTEL?

Since, at the time, I was on another continent, my answer was: Please cancel that card right away. She said: "done." Almost got me there.

That card was in my wallet at the time of the call and I always buy online only from really reputable companies, such as Amazon. All I am saying is, even if you are careful, it is best not to have a credit card!

Go debit. Woohoo!