Part 1: Mom's Warning
I spend most of my time these days helping software developers understand the security implications of the software they write - and it is frustrating.
Security does not come naturally to software development and most of the people involved. You can simply scan the news headlines for the latest piece of software compromised to figure that out. But I have a great deal of empathy for those developers that I work with today, because the concepts of security applied to software took me a while to understand too - and I have the advantage of including some of world's top security experts in my co-workers and close friends.
Continue reading "Software Quality is not Software Security 1" »
Part 2: The Defender's dilemma
(Mom's Warning, continued)
When you take up the study of security you will probably run into a paradox called the defender's dilemma fairly early on.
That paradox explains that in the game of security (it really is best to think of it as a game between adversaries, the attacker and the defender) the attacker has a single, but extraordinary, advantage: The attacker chooses when and where. For our purposes, it is safe to assume that the attacker can only mount an affective attack at a point of weakness (a vulnerability). Therefore the defender cannot make an assumption about which vulnerability he must defend.
Continue reading "Software Quality is not Software Security 2" »
I've had a few conversations in the past week that essentially followed the same path. Since there seems to be more than one person out there interested in return on investment (ROI) for software security, I thought I'd write about it here.
The conversation always starts with a question along these lines: "How do you build an argument for investing in software security?" When I hear it, it's usually coming from a security person who needs to explain to non-security people why they need money for software security tools. My answer comes in three parts:
Continue reading "R.O. - Why?" »
