Over-Relying on Network Defenses: The problem isnt our networks (which are pretty well protected), its crappy software. There is no discipline or rigor to software engineering like there is in other engineering disciplines.
|More Ed Adams on CIO Update|
Secure Software Begins in the Development Process Security By Design Why is Application Security so Elusive?
Im a mechanical engineer by trade so this is a very serious problem to me and one that Im intimately familiar with. But examples in other industries are just as stark by comparison, e.g., doctors have residencies, civil engineers have to be certified and train under another certified engineer (theyre called EIT, engineer-in-training, and cant lead any projects), etc.
Believing the Hype of Technology/Tools: I love tools. I worked for a software testing tools vendor for five-plus years. But I also recognize that tools dont make people better. They simply make people more efficient in jobs they are trained to do.
Tools dont teach a surgeon how to operate. I wasnt a better engineer because I learned AutoCAD, it just made me more efficient in the job I was trained to do. Thats the problem no training in the discipline; not tools. They arent the panacea people want them to be.
Too Many People Assumptions: Causal hackers arent the real threat. Hackers actually help trip land mines that are waiting to be exploited. The real threats are organized hackers (think terrorist cells or enemy states) who could cripple our infrastructure, utilities, and communication systems.
Real threats are insiders who already have access and know where the crown jewels are. Companies focus on hackers but that is the wrong assumption. And they always forget that its their crappy software that allows the hackers to exploit them in the first place.
Fix the problem software and you mitigate the threats.
Using ROI as a Leading Indicator/Metric: Organizations look at software and security as an investment. They are liabilities that need to be mitigated, not exploited for ROI. If companies thought about their applications as threats instead of assets theyd treat them a lot differently from conception through development and deployment.
Assuming Secure Software is Costly: Though it may add time to the up-front software development cycle (SDLC), e.g., defining requirements properly and designing systems well, integrating security into each phase of the SDLC saves tons of time and money in later phases; especially testing and deployment, when security holes take a long time to troubleshoot, re-code, and patch.
Microsoft has some good case studies on this utilizing their SDL (secure development lifecycle) internally, e.g., on SQL Server. I realize they have a bias interest in promoting that but the numbers dont lie SQL Server 2005 (which was built using SDL) has substantially fewer security bugs than either Oracle or MySQL.
Falling into the Recency Trap: I love this one. Its a psychological problem more than anything. People react to the most recent scare. For example, lost laptops net data encryption. Netbots net invest in IPS.
This is a trend that is well-documented and a shame. It happens not just in IT of course in 1967 Sweden changed from driving on the left side of the road to driving on the right. What happened? In the 12 months following, auto fatalities dropped by 35%. Not because the right side of the road is safer, but because there was a change and people felt more at risk.
Twelve months later, auto fatalities were exactly where they were pre-1967. People forgot they were at risk and adjusted behavior. Classic.
Look for expanded articles in the coming weeks covering each of these themes as Ed explains the rational behind his observations.
Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.