20061227

Making Security Rewarding

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field of Information Security, particularly secure application development, is that it is not an inherently rewarding practice. Development is a rewarding practice when you add new functionality, or make existing processes easier to use or more efficient.

The really dangerous part of this lack of reward is that hacking is inherently rewarding for those with that mindset. I've told co-workers many times that if I didn't really have a concern with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legality or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 morality of it, (we won't get into whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Robin Hood was virtuous or not), I would probably want to be a hacker. In a development world, or even in support of a development world, you're driven by project deadlines and feature sets that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users covet. Security is (generally) an afterthought. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 black hat world, unless you're being directly paid for something you're supposed to produce ultimately, you're driven by your own creativity and your own ability to come up with an effective attack, and to do so without being caught, and before everybody else does.

To me, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second sounds very rewarding. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former, you're paid to implement somebody else's creativity, and on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir timeline, etc. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter, you're driven by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good idea. - new and crazy ideas are rewarded, not dismissed.

So how do we apply this type of reward to security? People relate vulnerability assessment and code review to insurance - you don't know how valuable it is until it's needed. The only problem with that analogy is that when you need insurance, you know precisely how valuable it was. With information security, you really don't know how many dollars you're saving because you're preventing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place. How much money does eating right and exercise save you in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long run? Well, it's hard to measure, but proponents of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 behavior would basically say "a lot".

In vulnerability assessment, you get glimpses of that great reward. You can say to your colleagues "I totally pwned this site", and provided you have a contract that dismisses you from any damages because you were doing a security test, you can be confident that you probably did it for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right reason.

How do we apply that to developers? Can we tie cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir salary to flaws found in code review? Can we tie Christmas bonuses for engineers to defects found during an ethical hack? Can we dock developer's pay when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work ends up getting hacked?

It's hard to say that I necessarily disagree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 functionality vs. security argument. Security doesn't make money - it has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential to save money, and until you're hacked, you don't know how much. If you prevent a hack, you still can't say how much money you've saved. And it's hard to hang a likelihood number on particular threats - that metric would be dependent on a billion factors including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 economy and human emotion.

While we try to bake security into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire development lifecycle, we need to come up with creative ways to make a practice that doesn't improve efficiency or add fancy functionality rewarding just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same.

0 comments: