The Ramblings of a Security Nerd blog makes a really important point around the impedance mismatch between Security and Software groups. The Religious Debates blog entry points out that much of the friction between the two groups can be attributed to the reality that Security teams use an "Intelligent Design" model whereas software teams (and, more importantly, software) evolves.
"The key point here: most security thinking was based on the intelligent design model, while the software world was changing to the evolutionary model. Security folks railed at IT for changing things so often and more recently railed at researchers who would actually dare to point out vulnerabilities in a product before the current 5 year plan had expired. It is popular to point at small, low market share software as models of intelligent design, while large, widely used (sendmail and IIS are good examples) software clearly built quickly and badly are the real types of problems security programs need to deal with. Security needs to be based on quick reactions to rapidly changing conditions - evolving processes, not engraved in stone platitudes about how it should be.
When the hurricane hits, it is fun to point out all the bad decisions that were made, and lessons learned are important. However, it is more important to stop pretending that mass human behavior will be anything but chaotic and evolutionary - whether it is on making funding decisions about building cities that end up below sea level, or building software that will let the attackers pour in.
There are a lot of ways to make things stronger and once the water pours in it kicks things up to the next level. However, it is important to build a security strategy around realizing there will be imperfections, there will be perfect storms, and people and businesses will build houses and applications out of cute but wimpy parts."
Where does this leave security? Does security have the leverage to move software teams to an "Intelligent Design" centrally planned model? Or should it, even? I think not.
I think the answer, instead, is for security to operate like a software development team. Develop approaches that allow for rapid prototyping and deployment of ideas, and be able to replace outdated concepts quickly. This may sound hard, but the Anasazis figured it out a long time ago.
If nothing else, there is an O/R-mapping like step required to navigate the gap that exists between the two approaches we have today, and it is incumbent on the security teams to cross this chasm. Staying in the Intelligent Design (read: Ivory Tower) camp and throwing stones at the Evolutionists is not helpful. Collaboration on building more secure software is..
Comments