Security - eBook (EN)

Creating a culture of security

Issue link:

Contents of this Issue


Page 2 of 11

Security is a matter of quality There is good news here. Security is, in the same sense that quality is, often said to be free. In the same sense that basic hygiene is (more or less) free—washing your hands, for example. In the sense that it's cheaper to build in security rather than add it later. Security is a type of quality. It's about ensuring that IT capabilities will continue to work as designed when placed in real conditions—that is, under attack and facing the unexpected. Just as there is no trade-off between quality and speed, there is no-trade off between security and speed. Interestingly, by far the great majority of exploits could be stopped by simple security hygiene. There is a very small set of weaknesses that account for the vast majority of break-ins (SQL injections and buffer overflows, for example, for those readers who are technical). Ask any CISO about their greatest security fears, and you will probably hear: compromised credentials and failure to patch often enough. Add to this the top application vulnerabilities—SQL injections and cross-site scripting—and you've accounted for the vast majority of actual break- ins. But today's good practices provide inexpensive ways to avoid these vulnerabilities without slowing down the delivery process or imposing undue burdens on users. Security is not fancy, geeky engineering—it's a matter of following good practices as an everyday way of doing business. It's a matter of hygiene. What does a culture of security look like? The best model that I've found for a hygiene-based, culture-driven approach to security is that of the Rugged Software, or Rugged DevOps movement, which advocates building secure and resilient software simply because it's the right thing to do. According to the founders of the Rugged movement, "Rugged organizations produce rugged code designed to withstand not just today's threat, but future challenges as well." The key to ruggedness, they say, is cultural. 1 " T h e R u g g e d H a n d b o o k , " S t r a w m a n E d i t i o n , A u g u s t 2 0 1 2 We believe that the key to producing secure code is to change your software development culture. We have to get beyond looking at the technology and look at the software development organization that created it. We believe this evolution has to start with the people, process, technology and culture of that organization." 1 Mark Schwartz, Enterprise Strategist and Evanelist, Amazon Web Services " 3

Articles in this issue

Links on this page

view archives of Security - eBook (EN) - Creating a culture of security