Aligning Interest With Capability for Application Security

I was reading the most recent Cryptogram this morning and came across areprint of  Bruce Schneier’s article in Wired about the value of aligning interest with capability in order to accomplish security goals.  This was from an article about making software vendors liable for security flaws in order to force them to focus on security.  His article was specific to vendors and that stirred up some controversy on Slashdot due to the potential impact to Open Source software.  Smart organizations will also make this apply to internal development groups building their own Internet- or extranet-facing applications.

Until security makes its way into developers’ lists of priorities applications will be woefully insecure.  That means that executives need to make software security a priority and create the appropriate incentives so that this gets implemented.  This will require quite a sea change for application development organizations because most are so consumed by the “features, functions, timeline” mindset.  When was the last time anyone heard of a developer getting a bonus for writing extra-secure code?

Microsoft has done a great job of this with their Security Development Lifecycle (SDL).  These days a developer who injects a security flaw is responsible for addressing that flaw.  Unless a developer misses a security flaw in one of their code reviews – then they’re the one who is responsible.  Development groups need to adopt the attitude that security is the responsibility of the individual developer and reward and punish based on performance in this area.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *