Latest news
Secure Development: A Polarised Response
by Jane Frankland - Commercial Director, Corsaire - Monday, 7 June 2004.
With all the financial benefits associated with introducing phased security assessments at every stage of the development cycle, it is disappointing that more organisations are not introducing this proactive approach as part of their standard software development procedure. Certainly a lack of education and immaturity in their business, audit and software development processes could possibly provide one explanation. However, not all organisations are naïve in this respect and the question as to why some are choosing to ignore best practice recommendations begs to be asked.
Perhaps one answer could be because organisations have a polarised response to secure development; some will wholeheartedly embrace it and dynamically alter their approach to business processes and controls, whilst others will be blinkered, rejecting it as a costly exercise, too difficult to implement successfully.
Typically an organisation's culture has largely determined whether a program of secure development has been implemented. Organisations that possess conventional cultures usually present the most resistance to any sort of change implementation, let alone security. Their environments are dogmatic and strictly compartmentalised along departmental boundaries. They are comfortable leaving the software development process as it is - systematically separated out into planning, design, testing and implementation; addressing the security aspect of the project at the 11th hour or worse still, once projects have gone live. Organisations such as these remain culturally static until they are driven by a new business need or are subjected to a compelling event.
Whilst an organisation’s culture can’t be changed overnight, there are some organisations that have moved into a more proactive mode and successfully adopted secure development integration. Their achievements have resulted from assuming a culture of shared beliefs, values and behaviours. And, their environments are filled with positive change enforcement.
For example, they educate their personnel in the benefits of early secure development implementation. Thus Project Leaders and their Managers promote a team atmosphere where work is produced as defect-free as possible before being passed to the next development stage or to the customer. By encouraging a level of mutual respect they have overcome the suspicion and opposition that software engineers have had of security auditors - the party responsible for identifying vulnerabilities and weaknesses within their software. Consequently as problems found are seen to be with the product and not the producers each participant is receptive to suggestions for improvement and progress occurs more quickly. Operating in this manner also provides the opportunity for knowledge share; by establishing effective forums less experienced team members are able to increase their learning while still making useful contributions. Ultimately though, they recognise that spending the time on quality activities up front will save time for the whole organisation in the long run, as well as increasing customer satisfaction by releasing cleaner products in version 1.0.
Perhaps one answer could be because organisations have a polarised response to secure development; some will wholeheartedly embrace it and dynamically alter their approach to business processes and controls, whilst others will be blinkered, rejecting it as a costly exercise, too difficult to implement successfully.
Typically an organisation's culture has largely determined whether a program of secure development has been implemented. Organisations that possess conventional cultures usually present the most resistance to any sort of change implementation, let alone security. Their environments are dogmatic and strictly compartmentalised along departmental boundaries. They are comfortable leaving the software development process as it is - systematically separated out into planning, design, testing and implementation; addressing the security aspect of the project at the 11th hour or worse still, once projects have gone live. Organisations such as these remain culturally static until they are driven by a new business need or are subjected to a compelling event.
Whilst an organisation’s culture can’t be changed overnight, there are some organisations that have moved into a more proactive mode and successfully adopted secure development integration. Their achievements have resulted from assuming a culture of shared beliefs, values and behaviours. And, their environments are filled with positive change enforcement.
For example, they educate their personnel in the benefits of early secure development implementation. Thus Project Leaders and their Managers promote a team atmosphere where work is produced as defect-free as possible before being passed to the next development stage or to the customer. By encouraging a level of mutual respect they have overcome the suspicion and opposition that software engineers have had of security auditors - the party responsible for identifying vulnerabilities and weaknesses within their software. Consequently as problems found are seen to be with the product and not the producers each participant is receptive to suggestions for improvement and progress occurs more quickly. Operating in this manner also provides the opportunity for knowledge share; by establishing effective forums less experienced team members are able to increase their learning while still making useful contributions. Ultimately though, they recognise that spending the time on quality activities up front will save time for the whole organisation in the long run, as well as increasing customer satisfaction by releasing cleaner products in version 1.0.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
