Journey Through Time: The Remarkable Evolution Of Secure Coding
From restricting who can work on IBM mainframes to current DevSecOps techniques, the idea of safe coding has a longer history than you would imagine.
With technology advancing faster than a cheetah on roller skates, developers are facing more challenges than ever before.
It’s like a never-ending game of code chess, where they have to outsmart cyber security risks at every turn.
But hey, developers have always been the ultimate conquerors, facing barriers like brave knights in shining armor.
IBM’s Mainframe
Let’s take a trip down memory lane to the era of IBM’s mainframe coding.
Picture developers decked out in flared pants and groovy haircuts, crafting COBOL/PLI programs to navigate through big, complicated hierarchical databases.
They had to follow the golden rule of “least privilege” like a strict bouncer at an exclusive club.
The Resource Access Control Facility (RACF) was the bouncer-in-chief, regulating user access to essential resources.
If you didn’t have the right access, your job runs would end up dancing the night away with failure.
Client & Server
Fast forward to the client and server era, where the front end was built using Smalltalk-80, the object-oriented language.
Security was like wrapping presents, with objects being wrapped in layers of packaging.
It was all about managing data flow across objects, with a strict protocol for object dwellings.
Think of it like a posh neighborhood where information could move freely to higher-security objects but not descend to lower-security ones.
It was object segregation but in a cool way.
Dynpro SAP
Then came the ABAP-based SAP Dynpro development phase.
Developers had to play detective and investigate if a user had the right authorization profile to access programs or the database.
Transaction codes and authorization profiles were the kings and queens of the day.
If anything went awry, the end user was either met with an intimidating “Not Authorized” alert or granted access to the kingdom, resulting in behavior that went unquestioned.
It was like a wild party where everyone either had VIP access or was left out in the cold.
But hold on tight, because 2017 brought a game-changing moment for SAP users.
A high-profile court case declared the concept of indirect access to SAP systems, leading to a shift in strategy.
Remote access and function calls became a separate account affair, with developers juggling multiple accounts like circus performers on unicycles.
It was all about creating separate accounts for each application, like having different costumes for each act. Talk about keeping things entertaining!
Web Development
The web development era arrived, bringing us the SAP Enterprise Portal and SAP Web Application Server.
This was browser-based development in the SAP environment, making it feel like we were surfing the internet in a high-tech wave.
Developing and delivering Java code required a locally installed development environment, complete with secure code repositories on network drives.
Troubleshooting became an adventure, as developers had to navigate through a maze of load balancers, reverse proxy servers, and certificates.
HTTP was like the default language, but security was sometimes lost in translation.
It was like building a sandcastle on the beach, only to see it washed away by a sneaky wave.
Multi-Factor Authentication (MFA) & Single Sign-On (SSO)
Now let’s talk about Multi-Factor Authentication (MFA) and Single Sign-On (SSO).
Basic authentication with just a user ID and password was as vulnerable as leaving your front door wide open.
So developers upped their game and introduced login tokens and certificates to offer a more secure SSO experience.
It was like getting a backstage pass to a concert but with login tokens instead of wristbands.
And don’t forget about SAML 2.0, the superhero of web-based authentication and authorization.
It swooped in with SSL encryption and restricted token validity, protecting users from all sorts of malicious villains.
API & Mobile Development
API and mobile development took the stage, and developers had to become data package couriers between systems.
It was like being a secret agent, transmitting data under the radar.
They had to understand the whole API trip, from changing data formats to exchanging identity tokens like spies passing secret codes.
OAuth 2.0 scopes became the gatekeepers in REST development, limiting user access like bouncers at a trendy nightclub.
A good scope design was like having the right dress code to enter the VIP area.
Browser Compatibility & Cross-Device Support
Browser compatibility and cross-device support became the new challenges.
Browsers kept upgrading their security protections, leaving companies stuck in the past with legacy emulations.
It was like trying to fit a square peg into a round hole.
And let’s not forget about mobile development, where offline data storage was the cool kid on the block.
Applications would save data on the device, allowing users to continue their journey even without a network connection.
It was like having a secret stash of snacks for when you’re on the road and need a pick-me-up.
Continuous delivery/integration/deployment
Finally, we arrive at the era of continuous delivery/integration/deployment, where companies strive for agility like a ninja on caffeine.
The DevOps lifecycle became the superhero team, ensuring code quality and security through continuous integration, delivery, and deployment pipelines.
Code scan tools like Onapsis and SonarQube joined forces, scanning code for safe coding best practices, and flaws. But, like any hero, they had their limitations.
Sometimes they would raise an alarm for an innocent line of code, causing false positives.
So developers had to set thresholds and evolve coding standards to reduce DevSecOps breaches, like training an AI sidekick to improve its accuracy.
Even More Of The Same
In the end, keeping code secure has always been a bit like herding cats — challenging, but not impossible.
Developers have relied on a combination of technology and human skill, creating a dynamic model that should be cherished.
So let’s raise a virtual toast to the code warriors out there, fighting the good fight and making the digital world a safer and more entertaining place!
Exit with a flourish — a $1 coffee ensures the creative journey continues!
