Software Security May Live in Interesting Times
Next week is the OWASP App Sec conference in New York, I am doing Web Services security training and talking on Web services security and the OWAPS Top 10; and it should be "interesting" to be there in the middle of Hurricane Subprime as the MBAs scramble to restructure the global financial system. On the plus side, the Yankees are not going to make the playoffs.
The financial industry has driven a lot of things in technology and with all of the massive changes there I would expect it to have a major impact ons software security. Financial services were set to spend $568 billion on technology this year, and for one example, Merrill Lynch spent $566 million last quarter alone.
I think that software security for better or worse has been driven by financial services to this point. In my podcast with Gary McGraw, I talked about software security "what got us here, won't get us there" syndrome. Where some vendors and consultants have success with a certain technology or process in a big bank, then they bless it as "hey this works!" and try and roll it out at an insurer, healthcare company, or manufacturer; and are surprised when it doesn't work. A lot of times they assume that the client just doesn't get it, but they do, they just have a different business model. Most of the other industries have far fewer hard edges and more integration to deal with.
Software security should benefit from opening up to dealing with other business models. I guess now we're going to find out.
There is also a difference of emphasis between industries.
Take a difference I've noticed between financial services and government. I have encountered situations where a financial services customer may say "what if we just forget about using all those standards and make all these messages simpler", as they have optimization hard-wired as a goal. A government customer is (in my experience) more likely to focus on standards support for interoperability, and also to support directives that certain standards are used (e.g. XACML, let's say).
If the vendor was to build their product based solely on either customers needs, they would assume, as you say, that "the client just doesn't get it". It would be either "These government people are crazy, the people back at the bank told us those standards were not important", or else "these financial services people are crazy, we show them all the complex support for standards we have and they do not seem to care at all, they just want us to strip all that out".
In that case, the trick would be to build something down the middle, with the standards support and the optimization. But, just focusing on one sector is bad.
Posted by: Mark O'Neill | September 17, 2008 at 09:05 AM