At OWASP App Sec conference, Brian Chess makes a really useful insight on business risk and security risk. His presentation looks at risk from the standpoint of a growing business. What makes this is an useful presentation is that it depicts "how we got here" for many cases we see in the field every day. Brian terms this scenario "why does it feel like we are coming from behind on this."
When a company starts its life it wants to take on as much risk as it possibly can, do something hard and prove it in the marketplace. If it is not too risky then a big company may take you out or there may be no market. Over time a successful company's market risk should go down as it gains market share.
Where is becomes interesting from a security standpoint is that early in the company's lifecycle, the business has high market risk, but little security risk, there is not much in the way of assets to target. But over time as the business gains market share its security risks grow. This puts security in a very interesting position where there have to make up for a lot of lost time even if the decisions to delay security made sense at the time, the risk profile have readjusted to the point where more mature businesses who are established in the market and have relatively little residual market risk, at the same time the business takes on more and more security risk. In general this means the code, the config, data and identity architectures all must play catch up to deal with the risk profile over time.
How do you this? Build it in over time. Check where Microsoft started on security and where they are now. Toyota started in the US auto market as a joke car that no on took seriously, now they make Lexuses. Successful organizations need to find the right place on the risk curves when their business is ready to beging making Camrys and Lexuses. This means building security into your development process, the questions are how and when. Some thoughts on different approaches to phasing security into your SDLC.
I say much the same things in a series of rants entitled "GP" at https://www.financialcryptography.com/mt/archives/000580.html
In short, there are even more reasons to think of security as a retro-fit: if security is put in early on, chances are it will a) be wrong and b) slow down development and market share materially.
Posted by: Iang (GP) | October 24, 2006 at 02:21 PM