The most recent IEEE Security & Privacy Journal has a paper by James McGovern and I - "10 Quick, Dirty and Cheap Things to Improve Enterprise Security". We wanted to enumerate the many ways that security can be improved that don't require huge budgets, massive projects, or rafts of project management. Security does not have to require 7 figure projects, in fact many times its best to be quick (re-orgs happen so often that speed is super important), dirty (perfect software doesn't exist), and cheap (dollars are scarce). Here is our list:
1. Don't Just Market to Executives, Market to Developers
2. Leverage Container Services Wherever Possible
3. Encourage a Community Orientation
4. Focus Less on the Process and More on the Competence
5. Minimize the Ways to Attack an Application
6. Prioritize your Security Needs
7. Find Diamonds in your Backyard
8. Improve your Audit Logging
9. Send in the Crash Test Dummies
10. RTFM
11. Bonus Tip - Let Developers Be Successful
The paper was very fun to work on and I think will spur ideas, what quick, dirty and cheap ideas do you have to improve security?
That's great Gunnar, but I see this somewhat incompatible with the "let's reengineer everything" position you also take in some of your posts (such as http://1raindrop.typepad.com/1_raindrop/2010/01/what-infosec-should-learn-from-apt.html).
Not being overly critical or cynical about it, just like to hear your perspective about how to balance between these two different perspectives (quick and dirty [and cheap] vs let's rebuild everything from scratch).
Posted by: Augusto Barros | April 23, 2010 at 01:57 PM
@Augusto - what we are trying to do with this paper is to enumerate some proven ways to make forward progress on security without having huge exec support, budgets etc. so its evolutionary not revolutionary. lots of people are not in a position to make major changes to the overall system, but can still cost effectively make major security improvements
Posted by: gunnar | April 25, 2010 at 10:08 AM