Monday, June 16, 2014

Choosing the Right Entry Point for a Software Security Program

The topic of software security, or AppSec, has once again cropped up recently in my travels and conversations so I thought it would be prudent to address that here on the blog. As someone responsible for software security in an enterprise, Fred was being given a small pool of money and a chance to plan, design, and implement a software security program. The big question on Fred's mind then, was where to start.

As we talked through the options, and I discussed some of the mistakes I've made and have witnessed others make, I tried to advise Fred to be cautious. One of the most important things one can do wrong when starting a software security program from scratch is starting in the wrong part of your Software Development Lifecycle or SDLC. This can be exacerbated by the fact that many organizations have many more than one software development lifecycle, and picking the wrong starting block is quickly amplified.

Sunday, June 15, 2014

Getting Wrapped Around the CISO Reporting Structure Axle

CISOs are in the lime-light right now as the parade of data breaches marches on. One of the big topics is the issue of reporting structures. Where should the CISO report to? Should the Senior Information Security leader be a company officer? All valid questions, and more.

Tuesday, June 3, 2014

In Defense of Reactive Security

Warning: This post contains a Sun Tzu quote...

Let's start here:
You're driving down the street, minding your own business and doing the speed limit. Both hands are on the wheel, no cell phone in sight, radio turned down to a moderate level, and you're generally driving like the books tell you to. As you approach the intersection where your light is green you take a quick glance to your left, then to your right. All is right, and you have the clear go-ahead. Now as you come into the intersection a child on a skateboard dives into the street in front of you...
In your mind, right now, you've slammed the breaks and are laying on the horn, right?

Every one of us reacts to our environment, it's how we survive. And yet - when you say "reactive" security today you get looks from people like that's a dirty word. Why is that? Much like other circumstances where perfectly reasonable terms and ideas get hijacked ... I blame marketing.

A responsible enterprise security program plans for as many possible negative scenarios as possible and accounts for them in advance (called being pro-active) and then reacts as conditions in the environment change (called being reactive). One without the other simply makes no sense, and yet all the marketing literature has CISOs thinking that being reactive is somehow bad.

It would appear that in the quest to invent new problems for the many 'solutions' out there, the term reactive has been ascribed some meaning I'm not familiar with. To clarify - both reactive and pro-active security measures are required - in harmony.

There's this interesting quote from Sun Tzu that applies here, mostly-
Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.
Pro-active security is better known as strategy. This is all the planning a security leader will do based on a survey of their current resources, capabilities, technology and environment - and if you're lucky maybe based on history as well. Being pro-active is a great idea, in fact, it's absolutely essential. Anyone who's ever tried to paint a room, or lay tile, or heck even sleep-train children will acknowledge that without a proper plan you may be able to get half-way in before you realize you're lost. There is a divergence with Sun Tzu's quote here, in Information Security. Strategy without tactics, in our industry, is certain failure. I don't mean the type of failure where you get hacked or breaches, I mean the type of failure where you get hacked or breached and you find out 9 months later because someone reports it to you... or the media calls your PR officer and asks for a quote on the giant breach you've experienced.

Reactive security is better known as tactics. You need tactics. Your organization, and your strategy is nothing without tactics. The principal reason is that sometimes, just sometimes, those bad guys/gals that we all plan for get creative and adjust their behaviors. Sometimes the markets shift, and business climates, technologies change. Sometimes a vulnerability is found in something you consider core to your security - maybe like SSL, for example - and you have to adjust quickly and decisively. Reactive or tactical security is something you can indeed plan for, but only as much as you can plan for it happening...and you have to give yourself and your security program enough flexibility to be able to adapt and adjust.

From experience, one of the biggest issues to date [that I've come across in my clients and personal experience] in security programs is that they become inflexible, unable to adapt to their changing environments. Once a security strategy is laid out, funding is set, and projects are launched everything is set in stone. Should needs change, adversaries surface we didn't account for, or simply new technologies or methods arise - we're left with a shrug of the shoulders and "Well, the budget for this year is set, we can plan for that for next year" - which is absolutely insane.

So I give CISOs which I advise 3 simple rules to go by:

  1. Develop a strong plan, which has clear goals and has the ability to be flexible when needed
  2. Develop a tactical capability to pivot on-the-fly as needs, environments, and adversaries change
  3. Expect to have to adapt either or both of those