|
By Danny Lieberman, Software Associates
Not so long ago, when a company (business unit, department or manager) wanted to develop a line-of-business software application, they would do a system analysis starting with business requirements and then proceed to develop the application and deploy it. Things have changed. Packaged software and Web applications that the CEO's niece can whip together in a week have replaced structured systems development.
There are, of course, good things about not having a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product. But the downside of not developing software according to a structured systems design methodology is insecure software. So-called security development methodologies are band-aids on deep cuts and cannot replace a serious look at business requirements followed by a structured process of implementation.
There is a fundamental divide, a metaphorical valley of death of mentality and skill sets between IT and security professionals. IT is about executing predictable business processes. Security is about reducing the impact of unpredictable events.
IT's "best practice" security in 2010 is firewall/IPS/AV. Faced with unconventional threats (for example, a combination of trusted contractors exploiting defective software applications), IT staffers tend to seek a vendor-proposed, one-size-fits-all "solution" instead of performing a first principles threat analysis and discovering that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.
Threat modeling is a lot of hard work, hard data collection and hard analysis. It's not a sexy, fun to use, feel-good application like Windows Media Player.
Risk analysis may yield results that are not career enhancing, and as the threats get deeper and wider with bigger and more complex systems, so the IT security valley of death deepens and gets more untraversable.
There is a joke about systems programmers: they have heard that there are real users out there, actually running applications on their systems, but they know it's only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of customer-safety oriented.
Truly, the essence of security is protecting the people who use a company's products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?
Clearly, the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike. Around this common challenge, I propose that IT and security adopt a common goal and a common language -- a language of customer-centric threat modeling: threats, vulnerabilities, attackers, entry points, assets and security countermeasures.
This may be the best or even only way for IT and security to traverse the valley of death successfully.
This article was published by Infosec Island.
Danny Lieberman is a security expert and founder of Software Associates.
Only registered users can write comments.
Please login or register. |
