This blog is inspired by an interesting discussion on twitter between Raf Los (Wh1t3Rabbit), Jeremiah Grossman (jeremiahg), Barry Dorrans (blowdart) Jack Daniel (jack_daniel), securityninja (
no real name known David Rook) and me chiming in. The discussion started with a simple enough tweet from Raf “AppSec ’till now has been “myopic” in a word; suggestions for the future, and commentary (via FB) http://fb.me/Rm9oAITx”. But it moved to some key points:
- AppSec / Infosec has problems because too many want or sell InofoSec as a “pizza box” solution.
- Business wants to view the problem in the way it has viewed all other problems, I buy something to fix it.
- Regulations could be a possible solution to the issue.
To me #1 sounds pretty real, I get to see a lot of vendors in my job. Not just for AppSec but for all kinds of security stuff just due to the nature of my job. I can also tell you that nearly 90% of the presentations are “buy this and all problems are solved”. In my mind this thesis only holds true for very small, very well defined issues. The bottom line here is you can’t buy your way out of a security problem most of the time.
As well #2 sounds fairly right on as well, because most business leaders or owners don’t really understand how software is built, designed, whatever. They don’t know how to deal with its security issues. Not to mention they think of most security in terms of regulation they have to comply with not an integrated business process (where I argue it should be).
So that brings us to #3, why not just regulate the industry like everything else. Honestly this deserves a post of it’s own that I think I will go into another time.
I think these things are tied together and to solve the problem you have to address the “InfoSec Triangle”
Security is a three pronged problem in all instances: People, Process and Technology. You have to have the Technology to control or define the rules you want People to follow, there has to be a Process by which the technology is secured and People have to understand both how to use and why it’s important. If you miss either one of the last two you’ve spent a good deal of money on a shiny box with fancy flashing LEDs, and while that may look nice at Christmas time it really doesn’t solve anything. As such the real question here is how to drive real Infosec in real businesses in an effective manner.
I think we can build effective process and effective technology, but we have to solve the People problem to get to an ultimate solution. To me this means education, communication and maybe regulation. How would you solve the people problem?
UPDATE: added real name of SecurityNinja