Security and... Driving? (and Hiring)

PeeaycHPee

Tuesday, January 24. 2006

Security and... Driving? (and Hiring)

There's been a blip on the PHP blogosphere (think what you will of that word, it's accurate) regarding PHP's "inherent security flaws."

I guess it's time to toss in my 2c (even though I was one of the first to reply to Chris' post on this). Since I like similes, I propose the following: coding is like driving.



What? It's pretty simple, if you think about it.

If you drive, you'll follow. If you don't, but have tried, you'll also follow. If you've never tried it, you should. (-:

Coding is like driving. When you start driving, you're really bad at it. Everyone is horrible, even if they aren't aware.

As time passes, and you gain more experience behind the wheel, you're subjected to different driving conditions and new hazardous situations. These eventually make most of us better drivers.

Take me, for example. I grew up in a relatively small city in New Brunswick. I learned to drive there. At the time, there was very little street parking, and as a result, very little parallel parking. I was really bad at parallel parking for a long time. I first started driving when I was 16. It wasn't until I was 20 that some friends and I took my car to the first (and only?) Geek Pride Festival. Closing in on Boston, the roads got wider and wider. Suddenly, I found myself driving on a road that was 4 lanes in each direction. You laugh, but this is daunting for a guy who'd never driven on anything wider than 2 lanes (in each direction), before. I knew to cruise on the right, and pass on the left, but... how do I use those other two lanes? I now live in Montreal, and feel confined when there are only two lanes. (-:

Another parallel is when I learned to drive stick (manual transmission). My first few weeks were quite jumpy... then, my clutch foot smoothed out, and my passengers were relieved.

More food for thought lies in the insurace industry. Now, I'll keep my feelings towards these racketeering slimeballs (mostly) to myself for the purposes of this entry, but they DO do something right: reward experienced drivers (often at the cost of young males, but I digress).

I have a motorcycle license. I had to pass both written and driven tests to be able to ride. Even then, I only qualified for the lower class of bike ( < 550cc).

Alright, so what's my point? Simple: new coders are bad at their jobs. I thought I was good at the time, but I was horrible. I'm better now, but in 2 years, I know I'll look back at this and think about how bad I was 2 years ago. New drivers are also bad.

So, the people who control the roads have put a few safeguards into effect to keep these people from hurting others. First, there's graduated licensing in many parts of the world. When I was 16, I had a 12 month waiting period before I could drive by myself, and even then, I had to maintain a 0.00% blood alcohol level whenever driving.

Insurance companies penalize (or, if you're fluent in marketing, "don't reward") new drivers. My insurance payments are now an order of magnitude lower than when I first started driving.

Trucking companies are likely to hire newgrad drivers, but this is because their workforce is scarce. They put their better, and more experienced drivers on the most complicated routes. And most taxi drivers I see are well over 30.

Getting offtopic again: New coders are bad. They learn. Some quickly, some not so much. They make mistakes.

So, how do you get around this? Two ways. If you run a small shop, you should ONLY have experienced developers on staff. If your shop is a little bigger, then you can afford (ironically) to pay less to inexperienced devs that can do some grunt work, and get a bit of experience under their belts. Make sure that your good devs are reviewing their work, though.

You're effectively enforcing "graduated licensing" on your devs. If they have little experience, give them little power.

That said, I firmly believe (and agree with Marco) that it's not PHP's job to enforce this. Just as I would not expect Plymouth to limit my ability to drive my old Reliant K car. There are rules in place at a higher level, and that's GOOD in my opinion.

PHP is easy, or at least it starts out that way, and then, after a certain threshold, gets more and more complicated, but that's OK. Everything works this way. "Windows" is easy.. but when your registry pukes, it takes guru skills to clean it up (or novice skills to find your XP CD to reinstall). Driving is "easy"... just don't put new drivers in a situation they haven't seen before (whiteout/blizzard, collision, black ice, blinding sun, etc).

The money you save by hiring new grads (without proper mentors/filtering/etc) is often trumped by your exposure to security flaws, bad design, and failure.

A little aside: development shops and otherwise-hiring companies seem to be catching on to this. In the past 3 months, I've had 4 colleagues (former) come to me asking if I know any advanced PHP devs in Montreal who are looking for work... I've made a few suggestions, but most of the GOOD locals I know are already happily employed. If you live here (or are planning on moving here), and you've got LOTS of PHP experience (more than 3 years), have diverse experience, and are genuinely a good coder, let me know, and I'll try to hook you up.

S
Posted by Sean Coates in Thoughts at 13:20 | Comments (5) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

good analogy!

I totally agree with it all.

You know I use to code asp alot and really got angry at some people bitching it's security. Yeah it's not that good, but every code review showed me that it's bad code that left the sites open. You remenber all that scare? one word: zeljko!

thanx for the plug!

jf
#1 jfp on 2006-01-25 10:05 (Reply)
Sure coding is like driving, but even for this there's more security measures ( http://en.wikipedia.org/wiki/Car_safety ) :
- airbag
- security belt
- ABS : http://en.wikipedia.org/wiki/Anti-lock_braking_system
- ESP : http://en.wikipedia.org/wiki/Electronic_Stability_Program
- speed limiters
- Directional headlamps : http://en.wikipedia.org/wiki/Directional_headlamp

So even for drivers there's technological measure to assist them and help them make less mistakes. Theses measures will not prevent all accidents, but at least it will prevent some and thus for novice as experienced drivers.

There's no reason PHP could not do the same.
#2 FACORAT Fabrice (Homepage) on 2006-01-25 11:36 (Reply)
Fair observation.

Honestly, though: what do you actually expect PHP to implement to "solve" this problem?

S
#2.1 Sean Coates (Homepage) on 2006-01-25 11:41 (Reply)
I don't think this comparison is fair. A seat belt doesn't help if I don't wear it. And ABS is useless if I try to pump the breaks like I was taught in driver's ed. Cars offer things to help drivers stay safe but if they are not used or are not used properly, it is not the car manufacturer's fault when you get hurt.

The same goes for PHP. There are plenty of tools offered to programmers to help make their code safer but if the programmer doesn't use them or misuses them, it doesn't mean that PHP is to blame when an app has a security issue. For example, you can prevent SQL injection by sanitizing input and using prepare/execute (available in both PDO and PEAR::DB). Not taking these steps is done at your own risk. Just like driving without a seat belt.

Scott Mattocks
#2.1.1 Scott Mattocks (Homepage) on 2006-01-25 13:49 (Reply)
Yep, just like driving.... After a couple years you're cruising at 20mph over the limit, fiddling with the radio, putting on makeup, dialing on the cell phone, and changing clothes with an extra-super-big-gulp between your legs, a whopper in one hand, and a PDA in the other.
#3 Sara Golemon (Homepage) on 2006-01-25 13:58 (Reply)

Add Comment

BBCode format allowed

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

You can use [geshi lang=lang_name [,ln={y|n}]][/lang] tags to embed source code snippets
 
 

Pay the bills...

Calendar

Back July '08
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Quicksearch

Archives

July 2008
June 2008
May 2008
Recent...
Older...

Syndicate This Blog

My PERSONAL Blog

Note:
The contents of this blog are my own, PERSONAL opinion and do not represent the thoughts or opinions of the people I work with or for. If you have a beef with something I said, take it up with ME. Thanks (-:
Geo Visitors Map