I was reading the most recent Cryptogram this morning and came across areprint of Bruce Schneier’s article in Wired about the value of aligning interest with capability in order to accomplish security goals. This was from an article about making software vendors liable for security flaws in order to force them to focus on security. His article was specific to vendors and that stirred up some controversy on Slashdot due to the potential impact to Open Source software. Smart organizations will also make this apply to internal development groups building their own Internet- or extranet-facing applications.
Until security makes its way into developers’ lists of priorities applications will be woefully insecure. That means that executives need to make software security a priority and create the appropriate incentives so that this gets implemented. This will require quite a sea change for application development organizations because most are so consumed by the “features, functions, timeline” mindset. When was the last time anyone heard of a developer getting a bonus for writing extra-secure code?
Microsoft has done a great job of this with their Security Development Lifecycle (SDL). These days a developer who injects a security flaw is responsible for addressing that flaw. Unless a developer misses a security flaw in one of their code reviews – then they’re the one who is responsible. Development groups need to adopt the attitude that security is the responsibility of the individual developer and reward and punish based on performance in this area.
dan _at_ denimgroup.com