[WEB SECURITY] Great article outlining a core issue with many in the security community
Steven M. Christey
coley at rcf-smtp.mitre.org
Mon Feb 14 09:23:15 EST 2011
On Mon, 14 Feb 2011, Ory Segal wrote:
> What we do need to ask ourselves is - if nobody is prioritizing security
> as a critical software requirement - what are we doing wrong here???
The news isn't all bleak. But, I think there are at least 3 main issues
at play right now:
1) As already mentioned, there is not enough engagement or education with
the developer community. I agree that reaching out more to developers is a
very important strategy.
2) We are not effectively translating security into actual impact on the
business or mission.
3) Customers don't know how to ask for "more security."
To expand on point 3 a bit...
I believe that in the past, there wasn't enough consumer interest in
security to make it affect a software vendor's bottom line. At this stage
though, there are enough large organizations who care about security to
consider putting it into contract language.
Now the problem is shifting to the question: how do you know how secure a
piece of software really is? Consumers need help in knowing what to ask
for and how to ask for it. "New" efforts like CWSS and Jeff Williams'
security facts label, combined with ongoing work such as DHS' assurance
cases, OWASP's secure contract annex, BSIMM, OWASP Top Ten, CWE Top 25,
etc. are all laying the groundwork that should ultimately make it easier
for customers to ask for more security.
There will probably be a bit of churn and controversy as assurance metrics
are developed, since we still don't have a quantitatively-defensible way
to say how well various techniques work for which security concerns,
especially while there are questionable rates of false positives and false
My belief is that once software-assurance measurement starts to become
"usable" to consumers, there will be an increasing push toward security as
a requirement (or at least, a desired feature), which will then ultimately
impact the day-to-day developer. We're getting there, though.
More information about the websecurity