Friday, January 18, 2008
Peterson's method to incite security
I was reading this post from Gunnar Peterson about how to improve application security levels in an organization. He mentions a curious strategy to induce competion between different development teams. In a certain way his method works with a motivation that is vey curious for us: the right to "remain insecure". But in a nice way.He proposed that a certain number of applications are evaluated and the most insecure needs to have all its vulnerabilities fixed. Of course that it will cause some headaches to the business that depends on that app and, mostly, to the manager responsible for that software. So, during the development phase the development team will try to avoid vulnerabilities, so they won't fall in the last position of the "competition". As every team will do it, the average level of security will be improved. That's really a nice approach. One thought, however, i that it needs a strong high management support. The first exception given will throw it all away.An important thing to say is that this kind of competition can also be used to other teams that need to follow any kind of security behavior. We can make the business team with more inapropriate Internet access cases attend to mandatory security training, or the IT support team with more vulnerabilities on their workstations and/or servers needing to fix all of them. By using this approach the organization can estimulate security built in on several disciplines without having to deal with all problems at once.