Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Strategy: From Requirements To Reality

Posted by samzenpus on from the protect-ya-neck dept.

brothke writes "Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson is arguably the best information security book ever written. Anderson's premise is that security technology needs to take a structured engineering approach to systems design, with detailed requirements and specification from start-up to development and implementation; just as those designing buildings and bridges do. Without a deeply embedded structured approach to security systems design, Anderson argued that we find ourselves in the situation we are in today, with applications and operating systems full of bugs, vulnerabilities and other serious security flaws. As good as Security Engineering is, it was not written to be a detailed information security design guide. That vacuum has been filled by an incredibly important and valuable new bookSecurity Strategy: From Requirements to Reality." Read on for the rest of Ben's review. Security Strategy: From Requirements to Reality author Bill Stackpole and Eric Oksendahl pages 346 publisher Auerbach Publications rating 10/10 reviewer Ben Rothke ISBN 1439827338 summary One of the best information security books of the last few years Security Strategy is one of the first books that shows how to perform a comprehensive information security assessment and design, from section, development and deployment of a security strategy best suited to a specific organization.

The books main focus is on the planning, requirements and execution need to ensure formal and comprehensive information security elements are built into systems, applications and processes.

Authors Bill Stackpole and Eric Oksendahl each have over 25 years in the industry and the book reflects their vast expertise. Oksendahl spent time at Boeing, one of the most security aware organizations, with Stackpole spending a decade at Microsoft. While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft.

The books 300 densely written pages are composed of 14 chapters divided into 2 sections. Section one (chapters 1-6) is about strategy, with section two (chapters 7-14) around tactics.

Complete with checklists of the physical security requirements that organizations should consider when evaluating or designing facilities, the book provides the insight needed to enable an organization to achieve the operational efficiencies, cost reductions, and brand enhancements that are possible when an effective security strategy is put into action.

Chapters 1-3 take a high-level overview on how to approach strategy, with its many details. The authors note that strategy is a long-term plan of action designed to achieve a goal that includes what work will be done and by whom. This is not a trivial task, as many organizations simply roll-out a new technology, without defining what its goals are, and who exactly will manage and support this new technology.

Chapter 4 is where the hard work begins, as this chapter details the issues around strategic planning. Noting that strategic security planning is hard work and takes time; many organizations attempt to take an assumed easier path, that of bypassing security details and specifications. That is precisely why information security is in such a sorry state in many firms. These firms would rather buy a security appliance and place it in their data center and hope it works; rather than defining the details and specifications of what the appropriate appliance is in the first place.

Part 2 commences on the topic of tactics, and defines them as procedures or sets of actions used to achieve a specific objective. What this chapter does well, as does the entire book, is that it compels the reader to focus on specifics and objectives.

Chapter 9 gets into the importance of observation, in knowing what is going on within the network. The book notes that observation is both a deterrent and a detector. The chapter goes into detail about how observation works both in the physical world and its corollary use in the network side. The chapter breaks down the various functions needed to ensure that observation is done correctly; as opposed to the common method of simply rolling out an IDS and hoping that it somehow works.

Chapter 11 details the SDL (security development lifecycle). As the chapter notes, an effective SDL can improve application security via the use of a set of development practices designed to reduce or eliminate exploitable vulnerabilities. The issue though is that far too few organizations realize the need for a SDL, let alone take the time to design and deploy it.

Chapter 14 ends on the topic of security awareness training. While the notion of security awareness for many firms is an annual 10-slide PowerPoint; the authors take a pragmatic approach and detail the various parts of what makes for an effective awareness program.

Security Strategy: From Requirements to Reality is an incredibly valuable book that advances the state of information security. For organizations that are looking to get serious about information security, and those that want to go from good to great, the book is an invaluable guide that lays the groundwork on how to develop a first-rate information security infrastructure.

Taking a look at its table of contents shows the many fine points in which the book goes into each particular point, showing how it can be properly designed and deployed for effective security controls.

My only peeve with the book is that it lacked a CD-ROM or web site in which to download the many tables and matrices the book is built on. It is hoped that future editions will have them available.

Security Strategy: From Requirements to Reality is one of the best information security books of the last few years. Those who are serious about information security will ensure this is on their reading list, and that of everyone in their organization tasked with information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Security Strategy: From Requirements to Reality from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

64 comments

  1. necks by Anonymous Coward · · Score: 0

    necks really should have bones going all of the way around them

  2. first BJ by Anonymous Coward · · Score: 0

    in a book!

  3. tl;dnr by falldeaf · · Score: 2, Funny

    This book seems like a whole lot of work... isn't there a lazier approach that would just make my servers *feel* more secure?! Ostriches have the right idea, I think. ( P.S. After this post, I hope my IP isn't viewable by the public... )

    --
    check out the Mp3 Garbler I built!
    1. Re:tl;dnr by Anonymous Coward · · Score: 0

      Find a Linux distro with a good reputation for sane defaults, install, do the absolute minimal configuration, then sleep well knowing that if anything happens it isn't your fault... you trusted the FOSS guys.

      Isn't that how MS got to the pinnacle? And no one ever got fired for going with IBM. Hmm.

  4. Linus approach to the problem by Tekfactory · · Score: 2, Funny

    Your servers need a blanket.

    Oh, you thought I meant THAT Linus...

    1. Re:Linus approach to the problem by falldeaf · · Score: 1

      A security blanket... brilliant. As long as it holds up under the immense heat from restricted airflow, I have feeling my fears are over! Oh wait though, didn't Ben Franklin have something to say about this? Like, "Those that would accept restricted airflow in exchange for false security deserve to have all their components reflowed in their makeshift towel oven", I think.

      --
      check out the Mp3 Garbler I built!
    2. Re:Linus approach to the problem by Anonymous Coward · · Score: 0

      i was at a security conference some years ago, and one company, I forget who, was giving out secrutiy blankets as a prize.

  5. weirdly conciliatory remark by Daffy+Duck · · Score: 4, Insightful

    While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft.

    Is it worth noting that? To me, that just reads as "Microsoft is a very big company".

    It could well be the case that no organization in the world has spent more on cheese than the U.S. government. That wouldn't make me want to eat it.

    1. Re:weirdly conciliatory remark by BobMcD · · Score: 1

      While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft.

      Is it worth noting that? To me, that just reads as "Microsoft is a very big company".

      It could well be the case that no organization in the world has spent more on cheese than the U.S. government. That wouldn't make me want to eat it.

      While true, I am sure, both of the above comments reflect your own biases.

      A) It is entirely possible that Microsoft could have spent less than every company on security training. They did not. Whether or not this is noteworthy is up to the reader, but unless Microsoft is in fact larger than every other 'very big company', then it stands to reason that they did something different. You're not arguing the effectiveness, the commonality, or any other point. You're just somehow equating 'big' with 'most security training' - likely out of distaste for that particular company. Which is fine, but please feel free to say so.

      B) Cheese is awesome and delicious. That being said, your leaving more cheese for those of us sane and rational to eat it is appreciated greatly...

    2. Re:weirdly conciliatory remark by TDyl · · Score: 1

      no organization in the world has spent more on cheese than the U.S. government

      That would be "Freedom Cheese" & transfat-full canned cheese I suppose, not decent French, Swiss, German or English cheeses?

      --
      Todd: I hope it proves as delicious as the farmers that grew them
    3. Re:weirdly conciliatory remark by gmuslera · · Score: 1

      It reads "Microsoft tried to teach them what not to do, and they misunderstood the not part"

    4. Re:weirdly conciliatory remark by Daffy+Duck · · Score: 1

      Oh, I am absolutely biased against Microsoft. Admitted freely, right here. In the aggregate, they suck.

      And I'm biased against bland cheese, too, because there are so many hard-working cows, goats, and sheep out there making really delicious cheese that I don't want to see their efforts swept aside in a sea of mediocrity.

    5. Re:weirdly conciliatory remark by Anonymous Coward · · Score: 0

      I dont' care how fucking runny it is, fetch me the fromage!

    6. Re:weirdly conciliatory remark by TDyl · · Score: 1

      Don't you mean "fetch me the formaggio marcio"?

      --
      Todd: I hope it proves as delicious as the farmers that grew them
    7. Re:weirdly conciliatory remark by rwa2 · · Score: 1

      Hmm, well, you could also make the argument that $LARGE_DEFENSE_CONTRACTOR spends more on ethics training than any other @GOVERNMENT_CONTRACTOR, but how does that correlate with the number and impact of misconduct from procurement scandals they've been implicated in? Is integrity measured by $($scandals+$fines)/$(training hours) ?

      Good cheese, like fine wine, smells like $hi+. But we eat that $hi+ up all the same! I don't know where I'm going with this.

    8. Re:weirdly conciliatory remark by Anonymous Coward · · Score: 0

      Courses don't count. Knowing what to do doesn't mean you do it. If its not part of the culture of the organisation you can spend as much as you like, it won't make a difference. Money spent isn't the correct metric.

    9. Re:weirdly conciliatory remark by lennier · · Score: 2, Insightful

      Indeed. It's results that matter, not expense. Whatever it is that Microsoft is doing, they're obviously still doing it wrong when it's 2010 and there are still new buffer overflows discovered each month in Internet Explorer.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    10. Re:weirdly conciliatory remark by lennier · · Score: 1

      While true, I am sure, both of the above comments reflect your own biases.

      Sadly, when it comes to security, reality has a well-known anti-Microsoft bias.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    11. Re:weirdly conciliatory remark by BobMcD · · Score: 1

      Surely, but even when they try harder, they get negativity for that, too.

      It's a sad state of humanity where even if MS fixed everything and was the single greatest product ever, slashdot would still trash them for it.

    12. Re:weirdly conciliatory remark by Anonymous Coward · · Score: 0

      It's sadder when a company which has done such crappy deeds and released such crappy products continues to exist in the first place.

    13. Re:weirdly conciliatory remark by BobMcD · · Score: 1

      It's sadder when a company which has done such crappy deeds and released such crappy products continues to exist in the first place.

      No, in fact it is not, and that would be my point. So long as the crappy-ness stopped, there really ought not be any issue with them existing or not existing.

    14. Re:weirdly conciliatory remark by Anonymous Coward · · Score: 0

      microsoft is a software company and security is a part of software.

      the us govt, while it buys cheese, is not a cheese company.

      your analogy just doesn;'t work.

    15. Re:weirdly conciliatory remark by jd · · Score: 1

      Not necessarily wrong. If they have N times as many lines of code to audit, they need to spend an absolute minimum of N times as much just to stay on level pegging. Spending N/2 times as much is still more, but it isn't usefully more.

      Then there's program arcs. You can't just validate each line of code, you have to validate each arc as well. Windows 7 probably has many, many more program arcs than say, oh, Photoshop. At least, I hope so. If you test twice as many arcs but your code has a hundred times as many, you're spending more and doing more but getting a fiftieth of the coverage and therefore a fiftieth of the quality control. At best.

      I'm not saying Microsoft gets it right, either. I strongly suspect that the efficiency and quality of their testing is pathetic. Thus, dollar for dollar, I don't think they actually test even in absolute numbers as much as their rivals.

      Remember, not all testing is of equal worth. If you were to add asserts at the start and end of each arc through the code that specify each and every invariant that must be true at those points, you could eliminate most common bugs with very basic tests. In the case of applications, if you then added a strict debugging dynamic memory library, you should be able to clear out a significant fraction of the buffer overflows. If you then threw a static checker (Klokwork and Coverity make good but hellishly expensive products) at the code, you could clean out a lot of the remaining common flaws.

      Not all coding is of equal worth, ether. If coders are held to the CERT standards for coding, you'll get better code than if you hold them to the "would-it-fly-on-tucows" standard. The "extreme programming" method of writing tests first and code around the tests should also help.

      However, even Microsoft couldn't afford Coverity's charge per line of code for something the size of Windows. I'm not sure they could afford the charge even for Internet Explorer. Just because the software would be valuable doesn't mean it is practical.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    16. Re:weirdly conciliatory remark by donscarletti · · Score: 1

      Well, I try not to be biased against Microsoft, some of their products (in my opinion) are actually better than their competitors were Excel (very polished and usable spreadsheet) and Visual Studio (slightly buggy, but very well integrated). Well, I decided to check out Windows Phone 7, after all, Windows 7 is much better than XP.

      It sucked, it was just terrible beyond compare, things were slow, badly laid out, hard to read and slow to navigate. I just have to think to myself, why is Microsoft with its resources so incapable of doing something that Nokia, Apple, Google et. al have all done and not made a mess of it? There is just something about how that company is run, some inherent lack of direction regarding quality that just seems to pop up, even when you try to give them more and more chances.

      I am starting to think the MS bashing Apple/Linux fanboys were right all along.

      --
      When Argumentum ad Hominem falls short, try Argumentum ad Matrem
    17. Re:weirdly conciliatory remark by turbidostato · · Score: 1

      "Whether or not this is noteworthy is up to the reader"

      It *is* noteworthy, probably not in the intended way.

      "Stackpole spending a decade at Microsoft. While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft. "

      If Stackpole spent a decade at Microsoft, as implied, related to security tasks and Microsoft spent that much time and money to achieve such bad results, maybe Stackpole is not the one to be trusted for a book about security, I would say.

    18. Re:weirdly conciliatory remark by turbidostato · · Score: 2, Insightful

      "If they have N times as many lines of code to audit, they need to spend an absolute minimum of N times as much just to stay on level pegging."

      That's exactly the point: with regards of secure development, if it's about auditing, then you are doing it wrong.

    19. Re:weirdly conciliatory remark by Anonymous Coward · · Score: 0

      Microsoft has spent over $1 billion on their Trustworthy Computing initiative.

      This is a long-term, collaborative effort. The goal is to create and deliver secure, private, and reliable computing experiences for everyone.

      MSFT has put their money where their mouth is.

      Sure, they have a long way to go. But Trustworthy Computing is a model that other companies are only now emulating.

      Bash MSFT all you want, find me one other company of that size, or even close, that spent such $$$ on app sec

  6. Obligatory: Where Is The Chapter On by Anonymous Coward · · Score: 0

    Facebook security?

    Yours In Anchorage,
    Kilgore T.

  7. not worth noting at all by phek · · Score: 1

    "While Microsoft is chided for creating more insecurity than security, it is worth noting that no organization in the world has spent more on training its staff and developers on security than Microsoft. "

    That's not worth noting at all, microsoft has a bigger staff than any software development company in the world. Them spending $10 to train each employee on security would still be more than spending $100,000 to train each employee at a small 9 employee security firm.

    1. Re:not worth noting at all by vux984 · · Score: 3, Informative

      According to this...
      IBM has around ~380,000 employees
      Hewlett Packard ~320,000 employees
      Oracle ~200,000 employees

      http://hubpages.com/hub/Worlds-Largest-Companies-Worlds-Largest-Companies-by-Employees-And-Blue-Chip-Largest-Company-List

      Microsoft isn't even on the list. But I found other sources suggesting they are ~100,000 employees

      And that's just "IT". Many other companies on the list in fields including Banks, Financial Services, Aerospace, and Utilities also really *should* have substantial security budgets. So, maybe it is 'worthy of note' that Microsoft has spent more on training its staff and devs on security. (Assuming its true... I'm skeptical that there is a good source for that information in the first place... but perhaps there is?)

  8. Arguably? by dfsmith · · Score: 1

    My napkin doodle of a one-legged pirate going `Arrrr!' is arguably the best security book ever. What does that expression mean, in reality?

    1. Re:Arguably? by Monkeedude1212 · · Score: 1

      It usually means that if you were to consult a panel of experts - there would be a debate.

      It does not mean that "someone, anyone, could argue for it" like you seem to think.

    2. Re:Arguably? by Anonymous Coward · · Score: 0

      just a expression, don't look so deep, unless u r the grammar police. :(

    3. Re:Arguably? by jd · · Score: 1

      The exact translation of Arrrrgh is unknown, but seems to involve the translator being sliced up with a cutlass before walking the plank.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Arguably? by dfsmith · · Score: 1

      The dictionaries (Webster's, American Heritage, don't have my OED handy) disagree. Therefore I concede your point is arguable. B-)

      (However, you did make the assumption that I am not an expert in the subject.)

      My point is that the word adds nothing, and its only effect is to make me sigh because when I see it, I know that the reviewer out of his/her depth. Is it the best security book ever, or is it not? I want answers, dammit!

    5. Re:Arguably? by Monkeedude1212 · · Score: 1

      Well how do you FOR SURE say that something is THE BEST or not? For that you'd need to have access to all of the security books ever and thoroughly gone through and evaluated all of them and ranked them too. Then as soon as a new book is released you must do the exact same process.

      Arguably adds the effect of, "Yes - it IS the best security book out there as far as we know. It's entirely possible there is a better one, but we don't know of it. Someone would have to argue for it"

    6. Re:Arguably? by Anonymous Coward · · Score: 0

      Just a term of speech bro, nothing more.
      Why do you focus on this word in a thousand word review?
      And not even comment on the book?

  9. This is not "information security strategy" by Anonymous Coward · · Score: 1, Insightful

    Let's not confuse what this book is about...this is about systems, development and engineering. That does not encapsulate "information security strategy" or even "information security" as a whole. There are many other moving parts including governance, management, culture, people and things that require diligence beyond technology. Way too many people describe information security using the wrong terms. We need to be specific about what we're talking about and also discuss how these components fit into the larger security strategy. Strategy itself consists of understanding an organization's business, its nuts and bolts, its workforce, the cost, its risk tolerance and many other areas. The way you develop or engineer or even maintain a system is a small slice of the areas which need attention. Information security strategy is not risk management and is by no means is limited to threats x vulnerabilities = risk.

    1. Re:This is not "information security strategy" by al0ha · · Score: 1

      Agreed - and this viewpoint is specifically applicable to the times we now find ourselves.

      We are at the beginning of a new era of humanity, and whether our descendants praise this generation or curse us depends a lot on what we choose to do now. The problem is we are making a lot of choices based on little or no comprehension of potential future consequences.

      For example, the current mad rush into the *cloud* with data by governments and businesses for the sole purpose of saving a few bucks in the short term. At this point we can not begin to comprehend the future consequences of putting data into the *cloud* and I for one remain extremely skeptical as the *cloud* generally provides no protection for data from the *cloud* owner. Specifically not an Google cloud services - and likely in truth not Amazon or any of the others.

      I view the current, "We gotta save money now, so transfer resources, data and processes to the *cloud*" strategy as pure folly which may prove disastrous for future humanity. Just because a technology exists and can be used for something does not mean that use is appropriate from an Information Security standpoint; a fact which is seemingly ignored due to the nice, friendly "Privacy" policies posted by the various *cloud* providers. If they say it, it must be true seems to be good enough for many...

      --
      Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    2. Re:This is not "information security strategy" by Anonymous Coward · · Score: 0

      how do you know that from reading the book review?

      like many postings here, seems like people read too depp into them, wihtout ever reading the book!!!!!

  10. Anderson-Book: Nearly worthless by gweihir · · Score: 3, Informative

    The problem is that while "Security Engineering: A Guide to Building Dependable Distributed Systems" does give a lot of interesting details, it is unusable as a guide and it is not an engineering book. I found it to be basically worthless, except for security-junkies that can use it as bedtime reading material. The problem is that it has no discernible systematics, but instead is a collection of said details.

    Even calling is a good book is wrong, as it spectacularly fails to achieve any worthwhile purpose with regard to engineering or science. My advice is to not buy it. The money is better spent on almost any other purpose.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Anderson-Book: Nearly worthless by Anonymous Coward · · Score: 0

      u seem to be the only one who does not like andersons book.
      of the 32 reviews on Amazon, nearly all are 4 or 5 stars.

    2. Re:Anderson-Book: Nearly worthless by gweihir · · Score: 2, Interesting

      I know. I bought the last edition, based on those comments. I was sorely disappointed. Being a PhD-level engineer and security consultant, it is possible that my standards are higher. I guess for non-security people this book provides significant entertainment value.

      But its primary failing is that it does not help engineering, i.e. actually solving problems in a systematic way, at all. I cannot recommend it for anybody wanting to get into the security field in a professional capacity at all, except maybe as background material. But that means the subtitle is strongly misleading. In any case, I cannot recommend it as a good "security" book at all. Read Schneier's "Cryptography Engineering" and you will learn a lot more about security than from Anderson's book, even though Schneier only targets IT security. The side comments by Schneier at al. are worth more than Anderson's whole book, because they are about systematics and insights, not blunt listing of facts without professional analysis.

      Don't get me wrong, Ross Anderson is a terrific security researcher. He is just not a good writer, and I have started to severely doubt his qualifications as a teacher.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Anderson-Book: Nearly worthless by Anonymous Coward · · Score: 0

      To call Ross Anderson’s book ‘nearly worthless’ is idiotic, given the sheer number of people who have said it is a great book.

      >>>it is unusable as a guide and it is not an engineering book.

      Not true on both counts.

      Countless people have used it as both.

      Is it a detailed enginnering book? No. But it was not meant to be that in the first place.

      >>>>I found it to be basically worthless, except for security-junkies that can use it as bedtime reading material.

      Silly comment.

      >>>The problem is that it has no discernible systematics, but instead is a collection of said details.

      Dude, this was not meant to be such a book.

      >>>Even calling is a good book is wrong, as it spectacularly fails to achieve any worthwhile purpose with regard to engineering or science. My advice is to not buy it. The money is better spent on almost any other purpose

      You seem to be the only one who has such a negative comment.

      Looks at the reviews it has gotten.

      Look at the praise info sec pros have given it.

    4. Re:Anderson-Book: Nearly worthless by Anonymous Coward · · Score: 0

      >>>and I have started to severely doubt his qualifications as a teacher.

      His students are some of the smartest security minds around.

      So your doubts are 100% unfounded.

    5. Re:Anderson-Book: Nearly worthless by AdamInParadise · · Score: 1

      Totally agree. This book gets great reviews because it is entertaining, but fails totally as an "guide". It will not turn anyone into a security practioner.

      Regarding the author, while his heart is certainly in the right place, his research has erred a little on the sensatianalistic side ("Chip and Pin is Broken!"). I will have a look at this book, but my expectations are low.

      --
      Nobox: Only simple products.
    6. Re:Anderson-Book: Nearly worthless by Anonymous Coward · · Score: 0

      >>This book gets great reviews because it is entertaining

      this book 'entertaining' please!

      entertaining is harry potter.

      this is a great book since ross Anderson is a genius and has a lot of really really good data and guidance.

      All people on /. do is seem to knock the people who are smart and make condescending remarks about them. not nice.

    7. Re:Anderson-Book: Nearly worthless by gweihir · · Score: 1

      Your reasoning is flawed. Mediocre teachers can still have excellent students, because their reputation for something else attracts them. Also, when talking about PhD students, they basically self-educate with a little help regarding direction. An excellent researcher can give that help, even if he is not a good teacher.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:Anderson-Book: Nearly worthless by gweihir · · Score: 1

      Not at all. Anderson fails to deliver. If this were even a reasonable engineering book, as the subtitle promises, then I would be recommending it, because there are not many reasonably good security engineering books. But this book has me doubting that the author understands what engineering is, namely the systematic application of a craft to solve specific problems. There is nothing systematic in this book and very little about problem solving.

      And please see my original comment about Anderson's research, which I am at least partially familiar with. Although the research has gotten quite sensationalist in his later years. Something I do not like, because it is detrimental to quality.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. in summary by Anonymous Coward · · Score: 0

    In a environment where features are the top priority (aside from time) and being agile to feature creep even higher...your products are ultimately customer driven.

    And if your customer doesn't really know the problem domain, which is 98% of the teams/times out there, you have the case of the 'blind leading the blind'.

    That's why we have so many security problems nowadays... compared to 30 years ago.

  12. Security is Bad Because Nobody Wants to Pay for It by CodeBuster · · Score: 4, Insightful

    Despite the oft heard complaints of insufficient designs and botched implementations, one rarely hears one of the primary reasons for poorly secured software: the powers that be really hate paying for it . Indeed, it seems that many organizations, for profit companies in particular, would rather wait until someone sues them or simply purchase insurance against the consequences rather than spend time and money on something they perceive as being of little real value. If we software developers are told to finish the project on time and within budget or they will get someone else (i.e. do it or we will fire you and outsource it to somehow who will say "yes") then we have to do what the people who write the checks want. Most software failures result in loss of wealth, not loss of life, so companies have insufficient incentive to spend time mitigating the problem. In summary, the software engineers are capable and willing but management doesn't want to "waste time" with security. Until that changes, no amount of technical analysis of why software is insecure is going to matter much.

  13. Re:Security is Bad Because Nobody Wants to Pay for by quanticle · · Score: 4, Insightful

    Security holes, like illegal toxic waste dumps are negative externalities. Without some kind of regulation and enforcement, rational individuals and companies will continue to create more security holes simply because they're not paying the true cost of insecure software.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  14. The problem is information not Strategy by Anonymous Coward · · Score: 0

    There is a myopic view that it is systems which are vulnerable, it not the system its the resource and the information.
    Do I car if you steal some cycles from my CPU or my credit card information?

    The problems with most systems is that the security metadata is not transferable across systems so there is a manual process of recreating the security metadata when the information flows across the systems. Yes we have enterprise identity management but the enterprise object metadata is pathetic. You need both to apply business security rules.

    Security is the instantiation of business rules, system security is an empirical devolution of this point.

  15. bugs have nothing to do with security by Uzik2 · · Score: 1

    Seems like the same old blather. I don't see anything in the authors credentials that lend any credibility to what he's proposing.

    --
    -- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
    1. Re:bugs have nothing to do with security by Anonymous Coward · · Score: 0

      How can you say that you don’t see anything in the author’s credentials that lend any credibility to what they are proposing???

      Each of the two authors has deep security expertise, spanning decades.

      Boeing is a company that always has taken info sec seriously.

      Microsoft does also, but not to the depth and breadth that Boeing did.

      They have a lot of credentials and credence. You have any specifics you can refer to?

      Or is this just a general negative comment?

    2. Re:bugs have nothing to do with security by Anonymous Coward · · Score: 0

      wow, short comment w/o any facts dissing a 400 page book.

      you rock!

  16. Re:Security is Bad Because Nobody Wants to Pay for by durdur · · Score: 1

    Security holes, like illegal toxic waste dumps are negative externalities.

    They are not strictly externalities, because some of the bad effects can and do rebound on the business entity that is causing the problem. At least they can involve loss of reputation, and they can include the cost of emergency ex post facto mitigation measures, if a security problem is severe. Other financial or legal consequences are also possible, but license agreements typically include a limitation of liability, which provides some insulation.

  17. Re:Security is Bad Because Nobody Wants to Pay for by quanticle · · Score: 1

    The presence of a negative externality doesn't mean the person or organization responsible gets off scot-free. It means that they aren't hit with the full cost of the problem they've caused. I would argue that security holes are a classic case of a negative externality as the organizations responsible for creating them pay a very small amount compared to the economic damage that these security holes cause.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  18. It's a no go by turbidostato · · Score: 1

    "...with detailed requirements and specification from start-up"

    So by it's own admission, it won't work.

    1. Re:It's a no go by Anonymous Coward · · Score: 0

      i don't get your logic why it is a no go.... pleaze explain....

    2. Re:It's a no go by Anonymous Coward · · Score: 0

      >>>So by it's own admission, it won't work.

      explain that to me please.

    3. Re:It's a no go by Anonymous Coward · · Score: 0

      yes, it does !!

  19. Re:Security is Bad Because Nobody Wants to Pay for by Anonymous Coward · · Score: 0

    Ok, this does make sense.

    Everyone wants security, but that is true, no one wants to pay for it.