Into the Breach – Audio Series – Chapter 3 (Breaking the Security Diet)

Posted by Michael Santarcangelo on October 6, 2009 · Leave a Comment 

Episode 4: Into the Breach: Chapter 3 (Breaking the Security Diet)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 3)

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Go deeper Into the Breach with Michael Santarcangelo in October with EMC

In October, join Michael Santarcangelo for a live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:

  • Reveal the ideas and concepts that may have been pared from the chapter you just listened to
  • Expand upon or update the elements in the chapter you just listened to
  • Answer questions in a candid and direct style – focused on delivering insights that lead to results

Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to join in for the September session.

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
  2. Subscribing to The Security Catalyst podcast & blog to get more insights
  3. Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV (working on Dallas, Phoenix and San Francisco, with a likely stop in Atlanta and maybe Charlotte)
Bookmark and Share

Podcast: Play in new window | Download (11.0MB)

Filed under Blog, News and Events, Podcast · Tagged with , , , , , , , ,

Is This Helpful?

Posted by Adam Dodge on February 4, 2009 · Leave a Comment 

By Adam Dodge

code_holeOn January 12, 2009, MITRE and SANS announced the release of the CWE/SANS Top 25 Most Dangerous Programming Errors list. Since the release of this list, there is been a lot of talk over whether or not this latest “Top XX” security list is useful. However, that is not the focus of this article. Instead, let’s take a look at the action of Will Pelgrin and CSCIC.

Announced at the same time as the list, CSCIC released “draft language” to help guide New York State procurement guidelines* to include provision for secure code. On the surface, this type of requirement is to be applauded. After all the goal is to require the development of secure coding and testing practices for all applications purchased by New York State agencies. However, this current draft still leaves several questions in my mind.

One of the first problems that comes to mind is that there is no mention of the increased costs associated with the tenets of the procurement guidelines. It goes without saying that the new requirements have the very real possibility of adding significant increases to both develop times and development costs. After all, activities such as mandatory background checks for developers, development vulnerability and risk assessments, and security control compliance customized per customer demand all have associated costs.

Should organizations eschew these secure coding practices in favor of faster products at a lower cost? Of course not, but this draft guideline should not ignore the fact that there will be an increase due to the requirements suggested. Interestingly enough, the OWASP Secure Software Contract Annex, off which the Application Security Procurement Language document is based heavily, does address this problem. In fact, OWASP encourages that such costs be negotiated as part of the procurement process, not ignored altogether.

Beyond actual coding practices, one requirement that the proposed procurement guideline calls for is increased documentation. Generally, more documentation is a great idea and the documentation called for in the procurement guideline (in most part thanks to the work by OWASP) will allow organizations to fully understand not only the security controls used during the software development process but also the proper security configurations to employ. However, none of these increased documentation mandates require that the purchasing organization actually understand all of this increased documentation.

Of course, such language would not be appropriate in a procurement guideline, but the simple fact is that no amount of documentation will help ensure secure operation of any software application if the individuals running the application do not understand what the documentation specifies. Organizations need to ensure that there are staff resources available internally to interpret the documentation provided by developers in order to properly ensure the controls included in the documentation meet organizational requirements.

The final section of the procurement guideline is probably one of the biggest problems with the document. The intent behind the language used in the Investigating Security Issues is clear. After all, if a security incident were to occur due to a problem with the software, then the vendor’s help with investigating the incident would be immeasurable. However, the wording used in the actual guideline simply ensures that very few - if any - procurement contracts will contain this incident investigation support requirement.

The problem is that the procurement guideline takes its intent from one of the OWASP stipulations, but ignores the importance of the supporting sections of the OWASP Annex. In short, OWASP calls for Developer support during incident investigations but allows for the fact that the incident may involve a wholly unique issue outside of either security requirements or “reasonable” security testing procedures. After all, complete security today does not ensure complete security tomorrow. Any secure coding requirement needs to allow for the fact that there will be unforeseen security incidents no matter how good the security requirements are and to allow for a good faith negotiation between developer and customer in such cases.

*Please note the links to the procurement guideline point to the online SANS mirror and not the PDF document on the CSCIC web site. This was done because the CSCIC PDF does not reference the OWASP Annex.

Editor: Join additional conversation on this topic in the Security Catalyst Community: New York drafts language demanding secure code

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , , ,