Belgium has contributed a lot to the infosec world, for example Rijndael and a great conference- SecAppDev. Plus Hercule Poirot.
Its commonplace now for people to say they want to "build security in", but its worth noting that saying build security in is a lot easier than actually doing it. All sorts of questions come into it, what kind of security capabilities do you want to build? Where? What about legacy migration? What quality of protection to shoot for? Should we strengthen the weakest link or build stronger centers?
Oh, and once I have a design logic that incorporates the above - how do I make it as easy as possible for developers and admins to integrate these security services cohesively? This last part is the trickiest of all and it gets the least attention.
However, it did not escape the studious gaze of the famous Belgian detective. Hercule Poirot said the Wasps' Nest was the most challenging case of his career. What makes this case so challenging is that Poirot is investigating and ideally solving a murder that has not happened yet.
This is precisely the challenge we face in security design, getting the point across to developers that we need to build more secure code, yet at the same time security architects have to point to attacks that have not happened yet that leverage vulnerabilities that (often) have not been created yet (because the code is still under development). No wonder that securityspeak often sounds so convoluted. Mitigating theoretical vulnerabilities against theoretical attacks, may as well be speaking Mandarin.
So how to combat these two issues? Make things as concrete as possible. I see three main areas: one ensure there is clear guidance on what the defenses should look like. Two, each of these security capabilities should be backed by a battery of test cases. The test cases should show both that things are working as expected and that known downsides are avoided. Gauntlt is a good example, if you are an agile shop. There is a lot more that can be done. For example that authorization is working at the right level of granularity, that TOCTOU and concurrency, CSRF and other attacks are mitigated.
Three, a clear signal to developers and admins that shows things are installed and configured properly. As an engineering philosopher observed - "There's a light in diesel trucks that says 'Water in the Fuel', well when that light comes on, well, that means you've got water in the fuel. leave that light on too long and your truck just dies." Despite the billions spent on infosec, we provide no such clear signal or guidance to developers and ops folks that could tell them whether their efforts are on the mark or not.