Pushing the job to security
I’m taking a more active role in the direction of my career, moving it in new directions, and I think it’s time for a retrospective.
Until a few years ago, I worked on a team that supported primarily department web sites (for the Office of the Chancellor at Minnesota State Colleges and Universities). I thought of myself as mostly a backend guy: PHP and mod_perl web development, Apache and MySQL administration. The others on my team did more direct support of department users. Or so I told myself. In retrospect, I did a lot more user support and was more closely connected to the front end than I believed. I was (am!) still the web standards advocate leading the way in CSS adoption. I was (and am) the accessibility guy, leading accessibility instruction for our college & university webfolk and even faculty. I don’t say this to toot my own horn, but rather to highlight that even though I thought of myself as a backend developer, I was very closely tied to the user experience. Certainly my Java programming colleagues on the other web team in the office knew this, but they readily admitted to hating HTML, CSS, and JavaScript, so were eager to find someone who gave a rat’s ass about that side of the work.
Not much has changed, come to think of it.
When my position got shifted in a reorg and I got moved onto the Java team working on enterprise web apps, I became the UI guy. On a team of Java programmers, most of whom were new to web development, this made sense and it’s a role I readily took up. Our web apps look like crap. They could use some updating. The team structure was a mistake: hiring began before our supervisor was brought in to weigh in on skillsets that we needed for web development, so we ended up with a team who all think of themselves as Java programmers instead of web developers. Sure, they’re smart people and decent programmers, and maybe web development isn’t rocket science, and I mean no disrespect to my coworkers, but geez it makes a difference in the quality of apps you produce. But I’ve already written about that and will write more.
My role right now is primarily defining the user experience. I work with business analysts and stakeholder groups to spec out the user interface and application flow, and help the developers work out the annoying details like how to do something with JavaScript or CSS. It’s fun work. The past year or so I haven’t been too involved in much coding — and that’s okay, since I’m not a huge one for JSP and my feelings about Java as a web development platform are known and not favorable. :)
Another part of my role that I’ve been trying to expand is web application security. So far there aren’t a whole lot of people pushing very hard to make it part of my job, but that situation is improving.
What’s missing is a connection to education. No student contact, although I’ve been working on software for student services. I don’t feel a connection to online learning, to educational technology … I’m privileged to be a part of an educational system: I grew up wanting to teach and still want to be involved in education, but really I’m not. Organizationally we’re divided sharply between academic and administrative systems, and I’m on the admin side. I hope that distinction will blur, that we can put development resources more directly toward educational goals, but we’ll see.
A recent meeting also made me realize that I feel out of touch with open source software. I’ve taken it for granted. Almost everything I work with is open source — web frameworks, JBoss, Eclipse, LAMP —. Some of that has been a struggle, and and it’s easy to forget the struggle and overlook when open source isn’t even on the table in places where it makes sense: data warehousing, content management systems. (Actually, I didn’t overlook open source in the CMS question, I threw up my hands in disgusted exasperation after six years of inaction.) Anyway, open source is making inroads into our colleges and universities, and I want to find a way to be a part of that.
I feel like I did in college, when I spent an ungodly amount of time wrestingly to unify courses of study in French, historical sociolinguistics, religion, and medieval history. I want to bring together web standards/user interface/user experience, dynamic languages, agile software development, open source, educational technology, and security, all while still trying to do the day-to-day work necessary to get software out the door.
Which we barely do, but that’s another story.
Sometime in the last few months, it struck me that I haven’t been taking active charge of my career, I’ve just been going wherever events have taken me. That’s not entirely true, of course, since I did get the hell out of my HR job when I realized that it was being pushed in a direction I didn’t like. I don’t want to just float along anymore.
I have decided that if I need a focus in my career, it won’t be user interface. It will be security. Through everything I’ve done, that’s been a common thread. As I mentioned here a short while ago, software security is a big problem, the elephant in the room that is partly responsible for what Noam Eppel describes as The Complete, Unquestionable, And Total Failure of Information Security. At MnSCU, we’re taking steps in the right direction toward improving software security, but we can always do more. I’m running up against a wall in what I can do as a single developer to infuse security into our software development life cycle. I can work from the bottom up, but I’m realizing that we also need to work from the top down. Secure development should flow from and be traceable to policy, to help identify standards and establish metrics. But all the policy and best practices in the world won’t help if the developers don’t know how to write secure software, and the architects don’t know how to, well, architect with security principles in mind. We need to approach the problem from both directions to be successful.
My secret goal over the next few months is to lay the foundation for more of that top-down software security work, while continuing to push more aggressively up from the bottom.
And in terms of professional development, I may well pursue more schooling. I have a lot to learn.
So expect a lot more writing about security here. Along with everything else, of course. Plus ça change…
05 Jun 2006 Sam