Robert Graham over at ErrataSec has a post in response to Securosis and Microsoft regarding secure development lifecycles. I’d have commented there, but they don’t allow anonymous comments…and I’ve been conscious to not browse around the web while logged into my usual account (something about correlation and tracking nonsense). And I look dumb posting as lvnewsreader. 🙂 So here’s my response:
Disclaimers: I’ve not thoroughly read the links Robert provided, so apologies if I sound dumb. I agree with everything Robert said in his post, so this isn’t really an argument so much as it is a situational “next-step.”
An SDL (or really any preventive security) really plays back into the great gamble of business; gambling with the risk of being breached or not (in whatever form).
But I think there *is* a case where prevention can demonstate a save of money: assume the risk of a breach is absolute. For Microsoft, I think we can safely say they will have weaknesses and thus patches to roll out. I’m pretty sure they can play the game of valuating the impact of those incidents, and probably spend on prevention and feel ultimately good about it. With Robert’s “sale” analogy, this would be the situation where your wife *was* going to buy that item today regardless of the sale, but she did actually save money (though possibly by sheer luck).
Assuming an incident is inevitable is easy to say, but hard to act on. Most organizations have years of no apparent critical security issues, and their mgmt will have a hard time accepting that suddenly the sky is falling. Just the same way many people think their home is secure, just because they’ve not witnessed someone wriggling the windows.
Side note: I really like Robert’s “sale” analogy. That’s actually a small pet peeve of mine. Sales aren’t meant to save someone money who is already buying something. It is meant to make a sale right at that moment that would not have been made anyway (or getting someone into a store to make other ancillary sales).