baptism
Let's make one thing clear: I know very little about security-related programming.
Now, don't misunderstand: I know the best practices related to creating secure web applications, and I've picked up many other general security principles in the last couple of years, but those do not require me to write security-related code - just secure code. Making sure that your web application is safe from SQL injection helps to make your code secure, but it doesn't require that you understand the fundamentals behind security features. You're just an end user who has managed to perform his job correctly.
I think of security-related code as those parts of a platform that are responsible for authentication, authorization, encryption, and the complex protocols that the industry has created to simplify them. That's the stuff that I am not familiar with and, to be quite frank, has never really interested me. I'm not sure if the lack of interest was driven by perceived difficulty or the overwhelming focus on encryption that I encountered while in academia[1], but either way, I've always avoided security-related projects.
Until now.
The code base for Zero Core isn't that big, so while its event-driven architecture makes it harder for a new person to read through the code and understand the flow, it really doesn't take that long to figure out how things work. For the past few weeks, I've been trying to help out with some bugs and enhancements to Zero Core, mainly to learn more about the code and fill in my mental gaps; one of the enhancements that I was particularly interested in was related to authorization, but because there are more work items than there are Core team programmers, I was told that the enhancement would have to wait until our third milestone, meaning December-ish. The only way the code would get into the next milestone (October-ish) would be if I agreed to write it. So I did.
Let's make a second thing clear: bug 972 was not very hard. It's not a big feature, and you don't have to be a computer scientist to understand how it works. Had someone from our security team been available, I'm sure they could have written the code and the unit tests before lunch[2]. Still, I'm happy to report that I was able to read through all of the zero.core.security.* code and understand it, and I didn't break the build once during development. I feel a bit more confident in my ability to tackle security-related projects now, even if I've only scratched the surface of understanding. Baby steps.
Special thanks go to Zero security lead Todd Kaplinger, who made sure that I started off on the right foot and who didn't even make a face when I told him that I don't know much about security.
[1] Encryption is discouraging because I am certain that it is difficult, and that I do not possess the mathematical mind required to conquer it.
[2] It took me a day in a half, when you add up all of the hours.
Labels: narcissism, programming, zero
0 Comments:
Post a Comment
<< Home