Jun 27

The “Whole Audience Thing” through the Lens of Star Trek Discovery

By terranceacrow | Novel Pre-Production

I’m trying to be a student of Sterling & Stone’s Smarter Artist approach to indie writing. One of their core concepts, just after “Know your why,” is to know your audience and to write material they’d want to read.

Not sell yourself out by writing junk you think might sell, but by finding your audience, a group of folks who want to read the kinds of things you want to write, and writing for them. It’s an important rule, and like all rules, only a master can break it with hope of success.

For example: When Harlan Ellison wrote the original script for Star Trek’s (original series) episode City on the Edge of Forever, legend has it that he had crew members on the Enterprise dealing drugs. The Star Trek audience wouldn’t have accepted that, because that’s not the world Gene Roddenberry envisioned for Star Trek. Harlan Ellison* criticized the decision to change his script, but in the end, Roddenberry and associates won out to protect the integrity of their vision. Otherwise, they would have disconnected from their audience.

As I’m building the world for Divinity Falling, I saw the official first look trailer for Star Trek: Discovery. I wondered why I disliked it so intensely. Stars I like hold the leading roles. The special effects look like they’re top notch for today’s technology. But you know what?

It’s not Star Trek.

Even though it says Star Trek right in the title, it is not Star Trek.

First, Star Trek is about the ships. I can tell the difference between the Constitution-class Enterprise and Enterprise-A; the Excelsior-class Enterprise-B; the Ambassador-class Enterprise-C; the Galaxy-class Enterprise-D; and the Sovereign-class Enterprise-E. I can even identify the NX-class Enterprise by sight. Maybe because of the tireless work of the designers since the original series, the ships of each era had distinctive characteristics. At a glance, you know that the USS Reliant from Wrath of Khan was a contemporary of Enterprise-A, or that the Defiant from Star Trek Deep Space Nine was a contemporary of the Enterprise-D. The ships and their related technologies like Star Bases gave the world of Star Trek a distinctive and comfortable feel. Not only the ships, but their interiors, especially the bridges, were part of a continuity. As a fan, I loved that.

I’ll bet you can tell at a glance what period a ship comes from. Check out this image from Deviant Art. Don’t read the caption. Just at a glance, what period is it from?

The Discovery doesn’t seem to fit anywhere in that timeline. Watching the official first look trailer, I felt like I was watching something from the Kelvin timeline. It’s nothing like what I’d expect for a bridge that existed before the Enterprise of the original series. If anything, I’d expect it to share updated characteristics from the Enterprise shown in The Cage. Truth be told, I’d love to see a resurrected design like that!

Technology changes, you say. I can’t expect a series produced in 2017 to use such outdated visuals, you say.

Sorry, I ain’t buying it!

The Star Trek Next Generation episode Relics showed the original series Enterprise bridge in a Holodeck simulation, and it never looked better. And if you want to be part of Star Trek, be part of Star Trek! Don’t make something that looks like a cross between Dune and Star Wars A New Hope! Both are great franchises; but neither are Trek.

The second characteristic of Star Trek has survived almost all of its television incarnations, even to a lesser extent through Enterprisesocial awareness and commentary. Whether they’re protesting the war (like the war contemporaneous with the original series, which was Vietnam) in A Taste of Armageddon, exploring the insanity of racism in Let This Be Your Last Battlefield, or the implications of disability (like deafness) in Loud As a Whisper, Trek often dove into these topics. That’s part of its timeless appeal. Did you see anything like that in the Kelvin timeline? I didn’t. This is only conjecture, but I’m betting that’s part of why the latest movies haven’t spawned the kind of merchandising success that we saw for previous efforts.

As a part of the original Trek audience, I can say that those forays into social commentary are what stay with me.

I look at the official first look trailer, and I don’t see anything that speaks to me. And lest you think I’m just being a typical old curmudgeon yelling at the new series to get off my lawn, consider: I watched Prelude to Axanar, and I see what could have been if the powers that be doubled-down on the core Trek audience. I even watched the trailer for a Trek spoof called The Orville, and I’m excited! That’s more Trek than Discovery!

Be honest. Watch the official first look trailer:

Then go watch Prelude to Axanar:

Heck, go watch the trailer for The Orville:

Please, be honest.

Which of those three shows look and feel the most like Trek?

I’ll tell you my opinion: Axanar first, Orville second, and that’s it. I don’t think poor Discovery feels at all like Trek.

If Harlan Ellison, a Science Fiction Grand Master and one of the most prolific and imaginative writers of our time, had to respect his audience with “City on the Edge of Forever,” then I’m betting that Discovery will have to as well. That is, if the show hopes to succeed.

What do you think? Am I being too harsh on an unproven series? Does Discovery’s current masters seem to lack respect for the Trek universe? Or am I setting up a false dilemma? Let me know in the comments!

* If you’re interested learning more about Harlan Ellison and his colorful personality, I strongly recommend Dreams with Sharp Teeth. I re-watch it when I need a creative boost.

May 02

Can Storyist Defeat Scrivener?

By terranceacrow | Product Review

I like Scrivener. It’s powerful, it gets out of my way when I want it to, and it can produce e-book output. But there are times it lets me down. Like when I want to change a Style and — whoops! — Scrivener doesn’t have styles! Then I get antsy and look around.

Yesterday, I tried Storyist. The feature-set looked close enough to warrant the effort. Wonder if I’m still using Scrivener or not?

Working with Characters

Right now, as I’m working on Divinity Descending (previously known as Divinity Falling — but that had too much of an “I’ve fallen and I can’t get up vibe,” so I switched). That means it’s character creation time! I’ve taken some hints from The Smarter Artist, and one of their ideas was to use actor’s photographs to “cast” the role. I can’t exactly show that aspect in this post, because I don’t have enough money to afford to buy the rights to the photographs. But I can compare the non-photographic pieces. Comparing the two program, I can say that:

  1. Both allowed me to create a section to hold characters
  2. Both allowed me to create folders under that section
  3. Both allowed me to create character descriptions/sheets under the folders

Here’s a sample of what the two looked like:

Scrivener is in the upper left; Storyist, in the lower right.

The good news for Storyist? First, I liked its dark-mode. It looks particularly good on my iMac’s 5K Retina display. It let me create the layout I wanted, and it gives me an overview display that lets me see the characters at a glance.

Unfortunately, there’s bad news, too. I can add pictures to the Storyist character pages, but the size is fixed. I can’t change the size of the display! To me, that’s a big problem. When I’m in create mode, I like to just slam pictures into the page. I don’t want to have to stop and think of how I have to center/modify/etc. the pictures. So, I have to give this important category to Scrivener.

Plotting

There’s good news for Storyist here, too. Consider this screen shot comparing the two programs:

Again, Scrivener is in the upper left and Storyist is in the lower right.

I’m trying to learn how to implement the ideas Larry Brooks writes about in Story Engineering. Not sure if I’m doing it right, but both programs let me try to interpret those concepts. You can see the basic outlines in the screen shot above.

Storyist gives me something that Scrivener doesn’t: a really easy way to link scenes to plot points (the documents with light bulbs) to sections (the documents with gray hashtags). First, I laid out the sections (Set-Up, Response, Attack, and Resolution). Then, clicking on one of the sections, I was able to create the plot points. As I did so, those plot points were automatically linked to the section. I found that really convenient.

This category goes to Storyist!

Creating a World

This category was the make-or-break category for Storyist. How’d it do?

Take a look at this diagram:

Scrivener allows pretty much any size graphic. Storyist? Sigh…

In Scrivener, I can paste just about any size graphic into a document. Need a huge map of the US? No problem! Need a panoramic view of a valley? Sure! Paste away!

Storyist?

Remember the note about character graphics? It applies to graphics pasted here, too. There’s supposedly a way to get bigger graphics by using a collage, but I want a graphic of a map for my world location/setting called United States Map. I want to be able to read “Kansas Supremacy” (even if I can’t spell it in the screen shot!). That’s not happening in Storyist.

For me, this was fatal. I had to disqualify Storyist, at least in terms of my workflow, because of this.

Scrivener’s Death-Grip!

Scrivener doesn’t have styles. That offends me. Okay, that’s hyperbolic. Its lack of styles blunts my control over formatting. However, when I looked at Storyist, I liked some of its features and could live with other features that weren’t my favorite, but it’s approach to graphics was a complete mismatch for how I approach writing.

Am I saying Storyist is bad or evil or whatever? Good gravy, no! I’m just saying it didn’t work for me because of how it handles graphics.

So, Scrivener retains its position as my writing tool of choice!

Guess I don’t have the excuse of trying another writing tool to prevent me from getting back to writing!

Nov 21

Politics Aside, We Are Supposed to be a People…

By terranceacrow | Politics

To file under the auspices of “I think we’re living in a science fiction parallel universe…”

Or, more accurately, “Please God, let us be living in a parallel science fiction universe…”

Yeah, I know it’s horribly arrogant. But I’m going to say it anyway: The United States is supposed to be a beacon of hope to the world. The Founding Fathers tried to establish a government that would “establish Justice, insure domestic Tranquility, provide for the common defence [sic], promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity.”

Secure the Blessings of Liberty…

First, please be aware: I do not accept the idea that there is a Right and a Left in American politics. I perceive these as fictions designed with one simple (and unfortunately effective) idea in mind: to control the population, to pit one “side” against the other, the convince people on one “side” to ignore their own best interests under the auspices of supporting their party.

Second, I ain’t the brightest person Sol III’s produced. I admit that readily. The trouble is, of all of my attributes, my intellect lets me down the fewest number of times, and it’s whispering some dark things in my ear…

I get that the political elite have utterly (and I fear, irrevocably) ignored the needs of vast swaths of the population. Global trade deals, while necessary for the country’s long-term health, were implemented in such a way that too many citizens lost their jobs. One would have been too many, but these losses crushed the middle class — the segment of the population on whose backs the country rested.

Much like the military rests on the backs of the senior non-commissioned officers.

The political elites — the military officers in this analogy — abdicated their responsibilities. Instead of building programs to retrain those who wanted to be retrained, or to incentive industries in the same areas where the jobs bled away, the political elites made deals that ensured their personal futures and fortunes.

And the middle class workers watched their livelihoods wither.

To support this rift, to obscure their real goals and to maintain their power base, the political elites pushed more and more heavily the false “right vs left” paradigm. They also manufactured artificial enemies, whether they be minorities, those who have non-traditional (whatever that means) sexual views, or whether they hold a faith different from those in power, because what artificial power base can exist without a presumed enemy?

I mean, the very last thing the political elites want is for citizens to awaken to the simple idea that they were all suffering, and that many of their collective woes could be addressed by a common set of programs and themes.

I also get that those who were neglected and relegated to the fringes would latch onto anyone who seemed like they would speak for them. The hero motif is strong in human civilization, isn’t it?

But…

Pink Floyd’s The Wall was not supposed to be a How To!

I watch The Wall’s scene for “In the Flesh” and I see the coming inauguration…

Watch this and be honest. How many of the “enemies” that Bob Geldof’s character call out are the same ones that the current President Elect, and his supporting apparatus, call out as enemies? As those whose rights must the stomped into the dirt?

And these same people who are called out are United States citizens!

I watch “Run Like Hell” and I see the first 100 days…

I mean, we’re already seeing an upsurge in incidents of cruelty. I’m not talking about sins against “political correctness,” a concept that I reject as nonsensical. I’m talking about humans being cruel to other humans. No spin, no euphemisms, just a stark, honest recognition that those who now see themselves as in power are ramping up their verbal and physical attacks on humans who are not now in power.

White supremacists supporting the President elect

How is that an America ideal?

Thousands of Americans died in the mid 1800s in an attempt to kill the idea that one color of skin was superior to another.

What’s it going to take to grant Liberty to all Americans?

What’s it going to take for those of us who the political elites ignore to come together, ignoring the political parties who have clearly failed us, and demand that the government do the work “of the people, by the people, for the people?

As a science fiction writer and student of history, I can see that the times we live in are of academic interest. I can compare what I’m seeing how to 1984 and reflect how that, too, was not supposed to be a “how to” manual. I can reflect on how my next novel was going to tackle many of these themes, but now I’m wondering if history’s caught up with me. Maybe I’m writing a news article instead of a science fiction novel?

But as a human, as someone who struggles to understand the plight of other humans and who tries, however much in vain, to alleviate the pain our society inflicts on others…

This is a terribly dark time to be alive.

Oct 20

A Ghast in Melchizedek’s Backstory

By terranceacrow | News , Novel Pre-Production

You know how when you’re really into writing — when you forget there’s a keyboard and the words flow unfettered from mind to screen? It’s like establishing a warp field. Until something pierces the field, your creativity’s flowing — but even then, you’re only mostly in control.

Case in point:

I’m working on a scene from Melchizedek’s* adolescence to help me fully envision his backstory. I had a specific goal in mind, and I was happily writing toward that goal. Dek’s was a VR landscape when he encounters an AI ghost that’s supervising some children.

Here’s where things got weird.

I had intended for him to interact first with the ghost, then with the inhabitants of the church/school behind her. I had the several scenes of dialogue queued up. But — and I swear I have no idea why this happened — I got to watch an AI ghast split away from the ghost and confront Dek. As The Spooks Beastiary notes, a ghast is a ghost splinter. The ghost remained on task with the children; the ghast interacted with Dek.

I’ve learned to go with these moments, and by the time the scene was done, a new potential theme and subplot dealing with the ethics of imprisoning an AI, especially an AI that didn’t know it was imprisoned.

Nobody expects the ghast! At least, I didn't. It's cliche, but the creative process is a mystery!

Nobody expects the ghast! At least, I didn’t. It’s cliche, but the creative process is a mystery!

Maybe it’s cliche to say, but I’m still a little in awe of the mysteries surrounding the creative process.

If you’re interested in ready the backstory, I have good news! As soon as I get my e-mail list up and running, I intend to offer the backstory as a gift for subscribing. Then, I’ll periodically “reward”** my subscribers with new backstories, story notes, starship sketches, or other pre-production material. Just think: someday, I may be famous! That stuff could become cool mementos!

See you next post!

* My wife suggested that instead of calling him Mel (as I intended to), I should call him Dek. I think she saved me from forever associating the main character of book one with the TV sitcom Alice, in particular Mel’s Diner. I enjoyed the show; I’m not trying to disparage it. But it’s so not the vibe I’m going for in Divinity Falling.

** I hope it’ll seem like a reward!

Sep 22

Titles, Characters, and Old Demons

By terranceacrow | Novel Pre-Production

Trilogy’s Title

In my last post, I laid out the titles for the books making up my first planned trilogy. You may recall that they were:

  1. Divinity Falling
  2. Olympia Dreaming
  3. Founders’ Rising

I proudly announced that the trilogy’s title would be The Fall of Caerleon.

My daughter, who is herself a published writer*, read that once, frowned, and asked why the titles were non-parallel. Sigh. She didn’t buy my explanation that Auto Correct was the culprit.

So, I am now re-announcing the trilogy’s title. It’s:

Caerleon Falling.

Characters

My favorite part of writing a novel is building the characters and the world. It’s the point at which the fictional universe has the maximum potential. Anything can happen; anyone could be in the story.

Unfortunately, no matter what I do, moving from potential to actual disappoints me, because the finished product never looks like what I thought I could envision. This Facebook post from Writing about Writing is a perfect illustration:

I fully intend for Caerleon Falling, taken as a whole, to be “so amaze” with “much magic.” “Much adventurer,” too.

So far, I’ve sketched the seven critical characters. I may add another one or two, but I’m not good enough yet to handle too many at once. I’m using an idea I got from Sterling & Stone: I’ve associated an actor with each character. That helps me visualize the character’s physical appearance. I’ve pasted the actors’ pictures in my Scrivener documents that describe the characters. Part of me feels like that’s cheating; another part feels like I’m using good advice from a trusted source!

Sometimes my degree in theology manifests itself in unproductive ways.

Old Demons

I can sit down and write code without a second thought. I can write business documents without flinching. I can even write blog posts without undue panic.**

Why is it, then, when I sit down to write Divinity Falling, I feel like all sentients across all times in all universes are peering over my shoulder to point and laugh?

It’s the same thing I fought when I was a young ‘un.

But no matter how I articulate the problem; no matter how clearly I can describe it; no matter how tired I say I am or how overworked I feel; there’s one answer.

Write.

Don’t read about writing.

Don’t think about why I’m not writing.

Don’t complain about (insert my “Gripe of the Moment” here).

Write.

Then write some more.

Read from time to time.

Then write.

So, I’d better get back to it!

If you’re so inclined, leave a comment to answer: Do you ever get the same kind of feeling? Do you even experience writer’s insecurity? Or — gasp! — am I all alone in this?***

 

* If you’re interested, you can read her short story in the anthology Triskaidekan. Her story’s called “XIII.” You can buy the book here from Amazon (disclaimer: I’m an Amazon Associate).

** You might not be able to tell it by the dearth of content here. My excuse? My full time job takes a lot of my time. My other blogs, like Crow’s World of Anime and my application developer security site Interstell, Inc. also demand some of my time. Still, that’s no excuse. Must. Write. More.

*** Too many of my writer friends have expressed similar misgivings for me to really think I’m alone. But then, none of us have major or best sellers under our belts! So I’m not sure we’re the best sampling.

Sep 01

Prose Just Got Real: The First Trilogy Has Working Titles!

By terranceacrow | News , Novel Pre-Production

My last post mentioned Larry Brooks’ Story Engineering (you can buy it here — I can’t recommend it enough!). The book’s a wealth of information about all aspects of writing a novel, from the nuances of character creation to plotting. The latter was of particular interest to me, since I had concluded that my writing skills lacked one critical part: I didn’t know how to plot a novel.

Yeah, I’m kinda disappointed with me, too. You’d think by now…

Putting aside my natural tendency to take myself to try myself, convict myself, and give myself a stern talking to, I’ve finished Story Engineering. I’m excited to say that after digesting the chapters about plot, and after applying the architectural principles Mr. Brooks described, I’ve come to a conclusion.

He’s right. There’s a repeatable way to approach plot. And I think I can do it.

That was the last obstacle to me starting my first trilogy. Well, to be completely honest, my first trilogy since high school. That means my excuses are exhausted.* It’s time to get started.

The trilogy’s working title is The Fall of Caerleon. I’m going to grapple with the idea of the purpose of power; of its uses, abuses, and controls; its links to our empirical and mystical aspects. The Conrad family, much like Masayoshi Son, has a long term plan to better humanity. Will that plan survive the enemies arrayed against it? Will it survive the Conrad family?

The first book, Divinity Falling, follows Melchizedek “Dek” Conrad as he struggles to push back the advances of Terran Consolidated Products and its hyper-cash reserves against his company. At the same time, his company is trying to get off world to gain the breathing room it needs to take the family’s plan to the next stage. Which force will be more compelling?

Olympia Dreaming, the second book, follows Jack Conrad’s fight against Aldertraum, one of Earth’s colonies, as it tries to take humanity on a dark but unfortunately familiar path. Can humanity rise above its hard-wired behaviors? Or is it doomed to remain in the cave forever? This takes place a couple of decades in Divinity Falling’s future.

The last book of this trilogy, Founders’ Rising, presents Benjamin Conrad and the maiden voyage of the Resolution. Set just after Olympia Dreaming, the story portrays the conflict between human power and its links to claims of divinity. Can human overcome their ancient tendencies, even in the face of species extinction? Will Aldertraum’s attacks prevail? Are they even the real enemy? Or is our own nature much more deadly?

The problem of human power has always fascinated me. We need power to get things done, to influence groups to come together to accomplish things that individuals can’t achieve. At the same time, our history’s littered with the aftermath of power gone mad. History’s also full of attempts to manage or control power. Most recently, we see the foundation of the United States and the establishment of three branches of government to act as checks on power. We’re witnessing a time when those checks have been attacked and eroded, but that just increases my interest: how can humanity harness its collective will without falling into demagoguery? How can we withstand the corrosive effects of hyper-cash — and should we? If we should, why? What’s the justification? I hope to explore those questions in this trilogy.

How do the titles sound to you? Any thoughts on humans and their exercise of power?

Now, please excuse me. I have some work to do!

* If you’re a writer, you’ll understanding to interpret this not as a statement of fact, but as a desparate plea!

Jul 29

One More Piece of the Puzzle…

By terranceacrow | News

One more piece of the puzzle and I’ll be ready to start working on the arcs for the first trilogy.

No, really! That’s the plan! This time for sure!

Why now? What’s changed since I wrote my last novels?* Well, my wife introduced me to Sterling & Stone. If you have any interest in self-publishing, go check out their site. Right now. I won’t mind! I’ll wait.

They’re busily perfecting the art of self-publishing high-quality works in a number of genres. Even better (as if that accomplish weren’t enough, which it is!), they share what they’ve learned. Watching their videos and listening to their podcasts is an investment that I have no doubt will pay off. I now have an idea of where to start when it comes time to publish the first book. That is to say, when I finish writing the first book.

I’ve reviewed my writing skills, and I found I have a gap. I know how to write sentences. My character development will improve over time. Thumbs up to my dialogue! But I don’t know how to weave a compelling story. I gave myself some homework: find a popular, self-published book on Amazon and figure out why it was popular. Here’s what I chose:

I could nit-pick the book — I hate similes, and I don’t think the writer, A. G. Riddle, ever met a simile he didn’t like. But you know what? I had a hard time putting it down. I was disappointed when it ended. Apparently, I’m not alone. Amazon says the trilogy (which includes The Atlantis Plague and The Atlantis World) has sold over 2 million copies.

Let that number — that astonishing accomplishment — sink in for a moment.

My homework was to figure out why that trilogy has sold 2 million copies — despite me not liking its similes.

I think I found the key in Larry Brooks’ book called Story Engineering:

He does an outstanding job of covering all aspects of writing novels, but his chapter on plot blew me away. He laid out, in clear and concise terms, what a successful plot should look like. He didn’t dictate an inflexible set of rules: he pointed out a clear set of guidelines that define what a successful novel’s plot should look like.

I think this is the last piece I need before starting the first trilogy.

How do I know that’s the last piece? I don’t. Not yet, at least. But I know this: I can’t tolerate any more excuses. My daughter’s out of college. I’m not getting younger (quite the contrary!). It’s time to put up or shut up; do or do not; spread my wings and fly; and <insert your favorite cliche here>.

As I work on the material, I’ll share bits and pieces here in the hopes you’ll see something interesting. Feel free to comment!

Now, time to get writing!

 

* Are you ready for this? I wrote my last novel over 30 years ago. 30 years! That’s like, a lot of time. It took me that long to exhaust my reservoir of excuses! It’s hard to believe that it’s been 30 years since Olympia orbited the planets of Sirius, or the Resolution was lost…

Jul 04

Wasn’t This an Application Security Blog?

By terranceacrow | News

Yes, it was!

Interstell, Inc.’s adjusting its properties to better serves its customers, so this site, www.terranceacrow.com, is transitioning to a blog covering the challenges and jobs of writing novels.

Realigning Our Sites2

The application security material is moving (and we hope expanding!) at this site: www.interstell.com.

Please visit us there!

And if you’re interested in writing novels, please check back here from time to time!

 

May 11

Where Does a Developer Even Start?

By terranceacrow | Security Industry

One Day, It Dawns on You…

IsDangerousMuchlyLet’s say you’ve developed code for awhile. If a Project Manager, business partner, boss, or someone else with requirements comes to you, you can convert their business-speak into technical requirements. You can turn those requirements into an application that gets the job done. Customers love the results of your labor! As the accolades roll in, you’re probably feeling pretty confident.

Then you read an article like this one in CSO Online that says 736 million data records were exposed in 2015. Troubled, you put your developers skills to work and look for a solid, technically-recognized reference to explain how your baby might be vulnerable. You find Verizon’s 2015 report called 2015 Data Breach Investigations Report. You read. And you read.

And you read.

You study the charts. You match your business’ profile against the ones in the report.

You set the report aside, realizing that it’s good high-level data, but you need something more concrete. You find the SANS Securing Web Application Technology (SWAT) Checklist. It has seven sections and a total of 58 individual entries. The picture’s getting clears; it’s good description, but few code examples, and some terminology may be unfamiliar.

Undaunted, you cast around for something more focused and helpful for you as a developer. You come upon the Open Web Application Security Project (OWASP)’s Top 10 Vulnerabilities. Finally! A resource designed specifically for developers! There are some actual code examples! But after more review, some of the examples are aging or refer to products that aren’t being updated. Or the examples aren’t in a language that you are using.

If the data’s there, it’s not in a form that’s easy to get ahold of.

nicelittleappyouhavethereSo, after hours of careful deliberation and research, you come to the conclusion:

Crap. I’m doomed.

If some of the biggest companies in the world can’t keep their data safe…

If even some nation-states can’t protect themselves…

If the leading industry solution providers don’t have something that’s easy to consume…
Yet your application still needs to run on the internet…

What can you do?

The Truth Is… Well, You Know!

It’s out there (the truth, that is).

You know why validating data’s important for your application, right? You wouldn’t let someone enter a negative dollar amount in a gambling game. You wouldn’t let someone enter “99/aa/0998af” as a birth date. You wouldn’t let someone upload an EXE file instead of a JPG. You wouldn’t do these things because you feel responsible for protecting the data that comes into your application, right? You know that the wrong data results in the wrong outputs. And that makes customers unhappy.

At its essence, that’s security.

The data’s out there. It’s just not packaged for quick consumption — which is what you as a developer need.

Coding Your Way to a Better Tomorrow

surebeatswithoutapparelIf you know how to code, you can make your applications more secure.

And how to we do that?

It’s cliche, but one module/class/servlet at a time.

In the coming months, I’m going to share what I’ve learned after decades of coding for various companies representing financial and other well-regulated industries. I’ll give you examples that you can copy and paste into your code — or that demonstrate the basic concepts so you rework the example according to your needs. I’ll cover both Java and PHP. I’ll release the example code under the BSD 2-Clause License, which should give you maximum flexibility and freedom.

In other words, I want to give you tools to help you secure your code so your customers are happier, your boss is happier, and you can sleep better at night knowing you’ve done your best to secure your code.

You’ll add security to your perspective without even thinking of it as security. You’ll be back to converting requirements to your usually amazing applications. Only this time, you’ll know how to avoid the weaknesses that landed many companies in Verizon’s report. Will your code be unassailable? Good heavens, no! But it will be better. And not only better at a specific point in time: you’ll understand how to keep it as secure as is reasonably possible over the long haul.

Watch for the curriculum outline and some sample training videos/articles in the coming months!

Apr 12

Talking with Security Doubters

By terranceacrow | Techniques

Surrounded by Doubt…

In my last post, I talked about a scenario designers and developers know all too well: well-meaning management, project managers, architects, and business staff who don’t believe security is important — or don’t believe it’s important enough to warrant your time. Many of these doubters have direct input into the amount of effort you can spend on a project. If you’re a developer who knows what can happen when you ignore customer’s demands for reasonable security, what can you do?

Put Down the Stones!

nostonesFirst, let me address a tendency we have as developers. You are burdened with knowledge of how to get things done.* If you’re security conscious, you understand what insecure code or coding practices can do to customer trust. We tend to get frustrated or angry when people try to override our coding experience with their own priorities.

Becoming angry, though, won’t help. At best, they’ll just ignore you and label you a prima donna. At worst, they’ll just call you a prima donna and put you on work improvement because you’res not being a team player (in their eyes). But if (justifiable) anger’s not the answer, what is?

A Better Approach

Back in 1997, a modern philosopher named Don Miguel Ruiz came up with The Four Agreements to guide how we interact with others and ourselves. I’ve found them to be an effective way to advocate for security on behalf of the customer. Those rules are:

  1. Be impeccable with your word: Don’t be over the top or hyperbolic. Clearly and honestly state the requirements as you see them to your manager or team leader.
  2. Don’t take anything personally: Chances are, the folks arguing with you are just trying to meet their obligations and go home for the day. Unless you’ve knifed them (or one of their loved ones), it’s unlikely they’re attacking you personally.
  3. Don’t make assumptions: As developers, we tend to have a precise vocabulary. To my astonishment, I’ve learned not everyone’s like that (how do they even get to work without such precision?). Don’t assume they’re an idiot for not agreeing with you. Also, don’t assume you’re right! Even security requirements are subject to input from budget and risk. Management may have heard your pleas, considered them against the application’s risk posture and/or budget, and decided they could afford the risk.
  4. Always do your best: Represent your profession in the best way you know how. Don’t consciously exclude a security requirement without at least making your team leader or immediate supervisor aware. You could do worse than having the reputation as that “developer who’s always worried about security!” If you’re always striving for your best, you can still move your skills forward — even in a security-poor environment.

SometimesCantWin2Unfortunately, that last point is important: Sometimes, despite your best efforts, despite your eloquence and tenacity, despite your well-reasoned arguments and appeals to customer satisfaction, the team may decide not to incorporate the necessary security controls. They might elect to allow unfiltered input under the reasoning that the code uses stored procedures, so it’s safe. They might not understand that the input might include cross-site scripting (XSS) attacks that could ensnare a browser displaying the data. After all, security is only as strong as its weakest link. What can you do then?

As I see it, you have two choices:

  1. Accept the decision and keep working: If you enjoy working with this team, accept the decision and keep working. Certainly, keep a log of your concerns (e.g., keep the e-mails you sent warning of the security vulnerability) in case someone tries to blame you later. But otherwise, keep studying security on your own so your skills don’t stagnate. Also, hope the team will take your advice the next time!
  2. Find another job, give your two-weeks’ notice, and move on: If you find that no one’s listening, if you see customer data being compromised (especially if that data personally identifies a customer or reveals their health care data), it might be time to move on. You don’t want to lose your edge by working the architects, designers, or developers who don’t understand security. Again, keep a log of your efforts to make the team aware so they don’t try to frame you, but graciously move on. And don’t burn the bridges behind you! You never know when you might need to make a strategic retreat!

The real shame is that writing secure code is not materially different from writing insecure code. In fact, I’d argue that it’s actually less expensive, since the resulting code requires less operational support and is less likely to embroil the company in an inadvertent data disclosure. Those things take a lot of time to manage and correct! And that’s not even counting potential legal fees as the US Federal Trade Commission begins to get involved.

Always advocate for doing the right thing. It sometimes doesn’t seem worth it, but you have to live with you, so you might as well act in a way you can respect!

In the next post, we’ll take a look at giving your security concerns a sound foundation.

 

 

* After all, we’re the ones who tell the program exactly what to do and when to do it. The business team has more knowledge of why things are happening, but when it comes to exactly what’s happening, we’re at the epicenter.