Comments on: Six Sigma and App Security

By: Why Information Security is the Hardest Career | Information Security Leaders

Tue, 10 Nov 2009 22:36:15 +0000

[...] changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – [...]

By: MikeN

MikeN — Mon, 22 Jun 2009 21:02:06 +0000

It sounds like you’re both in agreement that a financial wrapper is required for C level execs to even look at application security. The way I see it, there’s 2 ways to frame the conversation 1) You’re going to make X amount of money or 2) You’re going to not lose Y amount of money.

The problem with option 1 is unless you’re going to build and sell a solution to secure you’re application security, you’re not going to make money on it. It’s a cost centre.

The problem with option 2 is, financial quantification of risk is a very difficult thing to do without sounding like chicken little. Until a very tangible example of the described perceived loss is presented in the company, marketplace or media the C level exec can justify 100 other things to spend the money on.

In my opinion, it’s a lot like insurance. Everyone hates it until you or someone close to you needs it, then you’re glad you have it. It would take a very open minded C level exec to start the trend, but even if you find one, how do you have that “we saved umpteen million dollars” moment that gets shared with the world?

By: dwaynedibbly

dwaynedibbly — Mon, 23 Mar 2009 10:51:17 +0000

So what we really need is a killer app that by it’s very nature must developed and deployed in the most assured way posible, that can act as a trojan horse (no pun intended) for bringing good quality practices (whatever they actually happen to be in the app-sec space) to the masses. I have a few thoughts on what that app should be (and it ain’t DLP)!

Fascinated to hear your thoughts on the translation/uses of manufacturing disciplines into security, it is rather apposite for myself at the moment. Personally I can see a lot of value in the Lean’s pull methodology for creating self evidencing compliance controls – not exactly sexy, but necessary none the less.

By: mmurray

mmurray — Fri, 20 Mar 2009 20:34:53 +0000

A couple of thoughts:

First, completely agree on the application of manufacturing discipline to security processes – they are different animals. I have thoughts on the translation process between them, but that’s out of scope for this conversation.

Second, you bring up the biggest problem in the whole appsec issue – in order to drive adoption, appsec has to create a tangible business benefit (in the same way that 6S/Lean drive efficiency and profitability in the long term) before we can have the large-scale business adoption.

Is the current loss from a lack of app-sec enough of an impact on the business to make that worth doing? I have no idea. I have my thoughts, but none of them are more than wet-finger-in-the-air guesses.

All I was really saying is that, if we’re ever going to have mass-market penetration, we need those early adopters in the same way that Six Sigma needed GE & Applied Signal and Lean needed Toyota. We need to use the quality movement as a metaphor and a roadmap to organizational adoption.

I haven’t seen that yet, which isn’t going to make it something that CIOs recognize as valuable.

By: dwaynedibbly

dwaynedibbly — Fri, 20 Mar 2009 20:23:45 +0000

This is indeed a rich topic for debate. For the sake of argument I’ll adopt a more extreme position than is strictly appropriate. The blanket application of manufacturing paradigms to information security is at best misguided and at worst completely irrelevant.
Two examples should focus things – fixing security flaws in word and building an IDS. Fixing security flaws in Word is a noble thing to do but from a manufacturing point of view it is a non-starter. Word is designed to help people create documents and communicate ideas. It should do this efficiently and effectively. That a bad guy can make word do nefarious things, whilst not good, is not part of the fundamental design brief that delivers a product to market that people will use and gain the penetration that lead to sustained profit. Lean and 6S in manufacturing are about delivering a product that consistently delivers to customer expectations within the parameters of acceptable use – fail at that and the commercial opportunity is lost. Lean delivers production efficient by eliminating waste, 6s by eliminating production defects. If ones business is delivering security software, or implementing a secured system, like an IDS or payment system, then security is a functional requirement and therefore in scope of manufacturing paradigms. A false-positive in an IDS is waste Lean should eliminate and evidence of a defective detection routine that 6S should cover. If a flaw in word can compramise a supposedly secure system, then it is not a failure of word, but in the defensive depth of the secured system. If a flaw in word can screw up or lose a document, then it is a failure of word.
Now here’s the rub. What if 6S and Lean, expressed as organization qualities, had only peripheral effect on the success of the business? Toyota’s Lean techniques haven’t made people buy cars in the current down turn. Lean is about efficiency. Name me one business for whom efficiency isn’t vitally important? 6S is about avoiding mass production mistakes. What business won’t benefit from that at some level except companies that succeed because of bespoke production for whom 6S isn’t that relevant? I don’t mean to undermine these things, they have delivered tremendous savings and efficiencies. But a vibrant market, flush with ready cash is far more important. The ecology of a business is the single biggest contributor to it’s success. If the market demands custom built then mass production won’t help. If the market don’t want what you sell, however good, then the product is a dud. Looking at the success of previous companies and divining what made them work is very difficult. It is fraught with danger and bad assumptions. The Halo Effect by Rosenzweig (http://www.amazon.co.uk/Halo-Effect-Business-Delusions-Managers/dp/0743291255) describes the problems very well and is a must read! Certainly the level of data needed to prove that these things are in-and-of-themselves recession beaters in today’s ‘noughties-are-the-new-thirties’ world is just not there.
Quality is not free. To describe it as free implies perfection is free, which is demonstrably untrue. It takes practice, honesty, integrity, dedication and energy. Every industry needs that. If you want to sell application security it to C-level executives then prove that the security you deliver is what your customers actually want. But one has to remember from TX Maxx that customers are fickle beasts who’s memory length is inversely proportionate to the depth of their pockets, and aren’t apt to behave in totally rational ways.
Am I right? I don’t know. All I know is that survival is based upon one’s reading of the world and adaptation to that information. More security is not always the right thing. Just ask the blacksmith forging a new sword with a suit of chain-mail on.