Every time I think about software security and its adoption inside software companies, I remember my habits regarding recycling. Let me give you a bit of recap, the City of Ottawa decided to introduce something called the green bin which is your regular garbage bin only green in color and should only contain the organic waste. This is ofcorse different than the black box which should have all the paper waste, blue box for the glass and plastic waste and finally the regular bin for everything else.
I like recycling because I feel I am doing something good to my environment. However, I hate the fact that I have to have 4 bins in my kitchen (or even in my small garage) just for garbage, I mean this way I won’t even have a space for my car for God’s sake.
Software companies must think of security the same way, too many bins out there ! Security code review, dynamic scans assessments, web app firewalls, intrusion detection, forensics…..etc
I just want to feel good and have one bin only to deal with!
I drive my wife crazy trying to optimize everything. She might be right though. We live together, no kids for now in a 3 bedroom house and I work from home. I am the kind of dude who sets the thermostat at 10:00 PM – 7:00 AM to 15 Celsius (60 F) because we are usually asleep during this time and don’t need the whole house heated. I have an oil heater in the bedroom that’s set automatically to start at 9:30 PM at 21 Celsius (70 F) to heat up our room and another oil heater that starts automatically at my office 8:00 AM till 5:30 PM because this is where I usually spend the whole day. The house thermostat is set to 21 Celcius from 7-8 AM in the morning as this is time we wake up and use most of the house and from 5-10 PM every day as this is again dinner and wind time and we usually use most of the house. I might be paying more for the electricity and gas combined but I feel that I am optimizing my resources and heating only the room I need.
Software security is the same thing, it is about optimizing your resources. Recent statistics reveal that as many as 70% of websites have vulnerabilities and according to Gartner and the U.S. Computer Emergency Response Team (U.S. CERT), 75% of new attacks specifically target the application layer. This means that there is a 75% chance your application will get hacked. How much time and money will be spent fixing the problem? And from my experience these problems never come at a good time. If you are still not convinced, check out the recent attacks against Google, Adobe and 30 other companies.
I rest my case.
They both will need some change. So I want to recycle, feel good and do the right thing but to think every time I am throwing something out?!! Ok, should this go to the blue, green or yellow bins? Oh, there is no yellow !! Let me get back to the chart to find out where does yogurt containers go!! What just happened here?? Something that I used to do without thinking twice about and was handled previously using the left side of brain, now it has to move to the right side of the brain, I have to think before doing it and we humans don’t like to think. At least not garbage related decisions.
Involving software security in the software development life cycle needs some changes, it needs changing the mindset of senior management, needs changing the mindset and habits of the developers, changing the way developers write code and introducing some controls. And again, we humans do not like change.
They both have no immediate monetary reward: While I am throwing the plastic-inside of the cereal box and trying to remember which bin it should go to, I think to myself, what’s in it for me? Yes, I will feel good, I have done something good to my environment and I can now stand proudly next to my green bin as being the “green” neighbor on the block. But what’s really in it for me? I mean I am paying for this every year to have my green bin picked up, can’t I just pay and not do the work involved?
Software companies think of it the same way. I was once talking to a CEO about the importance of security in the life cycle of their software service and he told me: I can’t introduce any security controls because this would mean extra cost to our business model and our customers won’t pay for it because they should have their software already secured 100%. I asked: Why do you add extra cost for quality assurance then?
Software companies don’t think that there is any return of investments for software security. I always ask this: Why do you do quality assurance then? why do you always put cost, estimate, time and engineers into quality assurance and not security testing?