Secure Development: A Polarised Response
by Jane Frankland - Commercial Director, Corsaire - Monday, 7 June 2004.
Typically an organisation's culture has largely determined whether a program of secure development has been implemented. Organisations that possess conventional cultures usually present the most resistance to any sort of change implementation, let alone security. Their environments are dogmatic and strictly compartmentalised along departmental boundaries. They are comfortable leaving the software development process as it is - systematically separated out into planning, design, testing and implementation; addressing the security aspect of the project at the 11th hour or worse still, once projects have gone live. Organisations such as these remain culturally static until they are driven by a new business need or are subjected to a compelling event.

Whilst an organisationís culture canít be changed overnight, there are some organisations that have moved into a more proactive mode and successfully adopted secure development integration. Their achievements have resulted from assuming a culture of shared beliefs, values and behaviours. And, their environments are filled with positive change enforcement.

For example, they educate their personnel in the benefits of early secure development implementation. Thus Project Leaders and their Managers promote a team atmosphere where work is produced as defect-free as possible before being passed to the next development stage or to the customer. By encouraging a level of mutual respect they have overcome the suspicion and opposition that software engineers have had of security auditors - the party responsible for identifying vulnerabilities and weaknesses within their software. Consequently as problems found are seen to be with the product and not the producers each participant is receptive to suggestions for improvement and progress occurs more quickly. Operating in this manner also provides the opportunity for knowledge share; by establishing effective forums less experienced team members are able to increase their learning while still making useful contributions. Ultimately though, they recognise that spending the time on quality activities up front will save time for the whole organisation in the long run, as well as increasing customer satisfaction by releasing cleaner products in version 1.0.

To conclude, effective secure development will only become more widespread when organisations receive better education. To achieve this security consultancies need to adopt an active campaign and the media need to provide coverage. Software Development Managers must also prepare their departments for change; they need to understand the benefits of early secure development implementation and be able to eliminate any animosity or suspicion their teams may have of security consultancies.

Through fuller integration of security and development activities, the effectiveness and efficiency of security assessment will be increased and streamlined, the associated costs greatly reduced and organisations will enjoy the return on security investments (ROSI) at a greater rate. Until then, however, those organisations that are already using secure development implementation early in their development cycles will be able to continue to reap greater advantages over their competition.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th