In speaking at the inaugural IT Decisions conference held in Birmingham last month, I asked delegates to consider how we can tackle the issue of software security with better decision making and what would be required to make this possible, writes Alessandro Moretti, executive director and head of risk central services at UBS. While it is recognised that vulnerability to fraud is often a product of insecurity in the software behind the products and services we consume, few realise that the reason it is insecure comes down to two non-technical elements: people and processes.
This shouldn't come as a surprise. The people involved in the software development lifecycle have been equipped to make decisions focused on other priorities; generally making it more human for the user or more cost-effective for the business. Their decision-making capabilities have developed over many years and become engrained to the point where they don't have to actively think about many aspects. It has provided the foundation for well-established processes in the development sector today.
An analogy can be made with the capability we all have to efficiently tackle the task of the weekly shop. We probably make 50-60 decisions every time we make our way through the local supermarket, but they tend to come naturally with the required decision-making capability engrained.
Back to school to learn a new priority
Introducing a new priority - in this case security - into the development process is akin to asking the experienced to return to school. They need to develop an added risk perspective for almost every decision that is being made, if security is to become part of the development mindset and come naturally. Part of the requirement is knowledge and a number of organisations, including two in which I am actively involved, OWASP and (ISC)2 , have made a significant effort to document and develop education programmes using best practice. This is creating a well-maintained repository of current and very specific knowledge. The next challenge is to instil appreciation for this knowledge and the value of risk assessment as a core, even defining skill for this sector. The development community as a whole must be able to take qualified, decisive action based on the right knowledge and added risk scenario for their decision.
This is no insignificant task, particularly when you consider the macro trends in the sector. Many organisations, both end-users and suppliers, are outsourcing parts of their development to many other organisations. Ironically this could contribute to the development of an active assessment process. Everyone is going to have to get more involved in supplier assessments and in demonstrating what they are doing in this area. This will lead to more demand for certification of both the people and the processes. In addition to the knowledge base, models are emerging for measuring the maturity of the security within an organisation's development lifecycle, providing a framework for improvement.
The development community are in the early stages of a new competency that I believe will effect significant change in the sector. On the people side, it is accepted that once you go through the process of certifying enough staff in a new competency, the organisation experiences an operational benefit as decisions become risk-based and effective. Clearly this results in informed influence over process change, and the inherent competencies that are behind every decision that is taken.
Alessandro Moretti, CISSP, CSSLP, is executive director UBS, head of risk central services and is a member of the (ISC)2 European Advisory Board.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)2.
This was first published in July 2010