Saturday, November 10, 2012

More on building secure IT systems

Last week, I wrote how the current system (of designing and developing IT systems) is broken. How business will simply not be able to support high-levels of post-facto InfoSec expenditure that is necessitated by increasing sophistication (and automation) of attacks. That we need to build security into our systems at design & development time.

It appears that I am not alone in this thinking. I came across a paper (in the SANS library) by Dan Lyon - apparently as a part of his GIAS GSEC Gold Certification effort - titled "Systems Engineering: Required for Cost Effective Development of Secure Products (PDF document)". In this he builds a case to take a Systems Engineering approach to build-in security into products; and that building security right from design makes more sense than otherwise.

He also refers to others writings and talks on the subject (though as a means to introducing the need for systems engineering approach), such as:

  • Software Security: Building Security In (2006), by Gary McGraw
  • The Security Development Lifecycle (2006), by Michael Howard and Steve Lipner
  • At the SANS Rocky Mountain 2012 Conference John Strand: "... the current state of information security is broken; new approaches are needed for information security. Many current practices for achieving information security are applied after a product has been developed. Examples such as firewalls, intrusion detection, intrusion prevention and antivirus are all external systems to what organizations use to conduct business..."
While it is gratifying to see that I am not alone in this line of thinking, I wonder why so little progress has been  made in building more secure IT systems from ground-up. Perhaps it is because of one or more of these reasons:
  1. Addiction by tradition: We are so deeply habituated to current development processes that we are unable to break free from them.
  2. Demand-side ignorance: Businesses don't see (and consultants are unable to make them see) the perils of current approach; and hence they are not ready to pay. In the absence of demand (from businesses), supply chain isn't ready to invest and gear-up.
  3. Supply-side ignorance: The word hasn't quite spread into the developer world! Yes, even in today's hyper-connected over-communicated world, this can happen. Too many people have yet to adopt new digital media consumption methods; and those who have, are subjected to information overloads that much gets filtered out.
  4. Industry Ostrich posturing: This could be deliberate (vested interest by current approach's beneficiaries) and/or simple denial. 

What do you think are the reasons?

I am exploring the possibility of me doing something about it (instead of merely whining / writing about it). Stay tuned.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)