Lots of people talk about getting involved earlier in the SDLC, EA, and arch phases. One of the reasons why this is important is because security is as much a design problem in the systems we build as it is an operational problem in the systems we run.
Two good quotes on design
“Design depends largely on constraints.” - Charles Eames
“Design is simply the management of constraints, and the choice of which constraints are nonnegotiable is crucial.” - Dino Dini
This is why being involved early matters - when security is brought in two weeks before go live, there are nothing but constraints, its literally too late to make structural and even most behavioral changes. Getting involved early means two things happen for security. One, there are fewer known constraints, because the jello hasn't hardened yet. Two, security can recognize and adapt to the known constraints at the time.
Comments