Paying for Network Security, One Line of Code at a Time

Here’s the situation: there’s a company that has handed over all operational running of its network over to a third-party integrator. At first, it was with a thought that the company would save loads of money, but now the truth is known. This integrator charges by the line of code. The only way to save money is to never issue changes to the switch configs.

Along comes an auditor, and the auditor makes a finding that the company needs more network security. His change involves adding just one line of code.

To a switchport config.

To every access port.

In the entire network.

The customer does the multiplication and comes to the conclusion this auditor *has* to be getting a kickback from the integrator.

It doesn’t matter if the integrator makes the changes by hand or if it automates them: the contract spells it out clearly, each line of code involves a charge.

It may come out cheaper to just fire the CISO every year, pay a fine, and never really fix the problem.

What are some other tack-on monetary cost barriers that integrators add that get in the way of security? I’ve seen quotes for a pair of firewalls that, in retail terms, would be as much as purchasing the same pair once a month for an entire year and still have enough money left over to cover my salary, albeit without benefits. I suppose if they bought the one firewall pair, the cost of the other 11 could be transferred to cover my benefits.

But I did more at my job than manage a single pair of firewalls – how could this be an actual savings? It was only a cost savings if we never purchased the gear in the first place!

And that ain’t good security…

Integrators also introduce non-monetary costs (and if I sound like an economist now, it’s because I used to teach Economics…) in the form of the time and effort it takes for their customers to get the paperwork put together to submit to them whenever a new system is introduced to the network. Does the product also need to access network equipment? Oh dear, oh dear, oh dear, that may be a problem…

… because the integrator uses the same management environment for multiple customers. If my product can access customer AAA in the integrator’s environment, it is only a few lines of configuration away from accessing everything from AAA to ZZZ in that environment.

That also ain’t good security…

Then there’s the time I submitted the request to have a firewall rule added to permit a group of 5 source addresses talk to a group of 3 destination addresses over a group of 10 TCP ports.

Did the integrator create one rule and three groups?


5 times 3 times 10 equals 150, the actual number of rules created by the integrator for my request.

And we paid for every line…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.