As we close out another year, and look back at all the data breaches that were enabled through the hundreds of thousands of helpfully vulnerable web applications -it's time to once again ask how we can prevent this in 2011.
There are no good answers, of course, but I think I've managed to get things down to a basic question that I feel like we all need to ask ourselves.
There is one fundamental question that is at the heart of every good security program that acts not only as a check-box at the end of it all but becomes a pervasive thread throughout all application delivery.
If you can't answer that question, don't bother trying to select technology, vendors, or putting in processes. Allow me to use the analogy of a football team here... for visual clarity.
Information security tends to be the "quarterback" for application security. We care because the word security is in the title of the problem.
The security of applications falls in the purview of the security team... so it's no surprise to anyone that the security team tends to spin up a vast majority of the initiatives here.
Ultimately though, the security team won't be doing much of the heavy lifting (or shouldn't be if they want to be successful). Let's run the numbers here on a typical organization, 1,000+ applications, 2 application security experts... that just doesn't work out.
In every good football team you'll need a good offensive line. The offensive line protects the quarterback against those that would harm the cause. These people translate to the people actually doing the heavy work here - the testers and analysts.
These folks utilize the technology, the processes and are the people in the triangle drawing. They make sure the ball moves down the field in the right direction towards the ultimate goal of a more secure enterprise.
Each organization will have a playmaker or two. These are people who deeply believe in the cause of less risky applications and a more secure enterprise. They'll step in when things are looking bleak and craft the compromises, tool the processes, and write the brilliant policies.
These people can be in-house expertise or they can be vendors or consultants but they are necessary. If you don't have at least one playmaker on the team, you need to find one, or it's going to be a long, grueling fight to get a software security assurance program in place, and make it successful.
The coach, like the legendary Mike Ditka, has the vision. The coach is the person who pushes for budget, hires new resources, picks the right technology, gets the timing right, does the risk assessment strategy and sticks their neck out in staff meetings to make sure that application security or software assurance programs happen.
While these people are usually well-seated (CxO-level) they can be senior-ranking architecture or other IT or business leadership.
So who cares?
Ultimately - the "who cares?" question must be answered. There must be at least 1 person in the organization that has not only the political capital, but also the decision-making capability, and more importantly the will to impact the organization.
This is your key stakeholder. Find this person in your organization. They exist, but aren't always easily identified because they don't always step forward.
Here's a quick set of questions to ask to figure out who really cares about a software security assurance program:
- Who is responsible to the business for the delivery and uptime of business-critical applications?
- From an operational perspective, whose organization (at the management level) is most impacted by poorly developed applications?
- Who is most likely to get the phone call from the attorneys if a major breach occurs?
- Who owns the budget for development, deployment and maintenance of applications in the organization?
- Who in the organization can balance the need for operational efficiency, with a low tolerance for risk?
Once you have your Key Stakeholder it's time to move.
Get your team together, outline the game plan, map out the people, processes, and technology that will be required to drive lower-risk applications to the enterprise - and then go talk to your key stakeholder because only then will you have any hopes of success.
Cross-posted from Following The White Rabbit