June 12, 2008

Enemies Foreign and Domestic

Surround SCM
Your doing it wrong Security in an application is one of those things that rarely gets discussed in a demo. Most people say “we have excellent security control” and then move on to some alluring graphical drag and drop functionality. But security is something that lots of applications get wrong, for lots of different reasons. First, I should say that I’m not a security expert. I read Bruce Schneier’s blog and newsletter (so should you), along with all his books. With that said, I know that real security is hard. And one of the things to understand about Surround SCM is that the security we focus on is the internal security of the application. That is, how do we prevent users once they have authenticated themselves (either using our internal authentication or an enterprise solution like LDAP or Active Directory, both of which we integrate with) from doing things they should not do. My mental model for this is primarily that our administrators are using our security settings to either make their users lives easier or prevent them from doing things they didn’t mean to do. For example, restricting users access to some branches and repositories is often used as a way to limit the list of branches that people have to choose among. Restricting their ability to permanently remove files prevents them from doing something that really needs a whole lot of thought first and probably isn’t what you want to do. That doesn't mean that our security isn't for preventing evil doers from, well, doing evil. It is. But I think most of our customers are less focused with bad users and more with mistaken users. I’ve been looking at other products in our space, and I’m often surprised to see the approach they take to security. Either they do very little, or they require you to write custom code to accomplish what you want. One company asks you to write Perl scripts in order to enforce restrictions on commands . Now, in theory, that is very powerful. You could write your script to make sure that only users whose last name begins with Q can destroy files, and only on alternate Thursdays. That is, if you need that. And can write Perl. And can debug Perl (clearly a separate skill from writing Perl, based on my observation.) And you want to spend your time writing and debugging Perl scripts rather than, oh, I don’t know, working on the things that make your company money. I recently saw a presentation from another company that said over 5 years only 10%-15% of the total cost of ownership of an SCM system is license fees. I’m willing to bet that if you skip looking at how security works in some other SCM system, at least some of that other 85% will be spent on liquor to help you through those Perl debugging sessions. But just look at how cool drag and drop is!