Seeing ‘Red' over Cyber Security
Cyber security is a highly charged issue from boardrooms to regulators and solution providers. Indeed we all depend on critical infrastructure and global supply chains. Why then, even in new products are there still so many common security weaknesses?
Popular theories are abundant: executives view security as purely extra cost; regulators believe people just don't understand the risk; and solution vendors just want to sell you something...and so on. I can't put enough emphasis on the last point. Pushing FUD is the wrong approach.
A better approach is seeing red over cyber security.
Seeing red in terms of the true cost of defects is a core theme in the security development lifecycle (SDL). Pay now or pay orders of magnitude more in after the fact remediation. Addressing security early and often can help avoid fiscal red.
It's important to note SDL effectiveness is largely understated due to incalculable external costs incurred by customers. Not only is there a direct cost for producing fixes but end users carry a significant cost for roll out.
To truly be effective we must also reduce the external cost of security measures. "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" from Microsoft research challenges just how wrong it is to assume people just don't get it about security.
However, seeing red over cyber security in the military sense of engaging cyber red teams is proving very effective. The general principle is about using offense to inform defense. In familiar terms you can't improve what you can't measure.
To see red, go on the offensive and identify security metrics. There will be gaps and some applications may need to expose better controls and indicators. As a case in point, consider the vCampus discussion about security with a lot of people managing tags. At the very least this is an externality we must address; in the meantime monitoring is possible.
According to SANS, even with incomplete metrics the US State department observed dramatic risk reduction using a data centric approach. Through osmosis federal regulators are starting to see red too. Security enforcement based on real time data is becoming a practical necessity because compliance penalties are per day in violation.
For software development projects, it's better to see red early rather than depend on network fuzz testing or product penetration testing of fielded product. The DHS sponsored Control Systems Cyber Security Advanced Training Workshop at Idaho National Lab can help you develop a red team mind set. This cyber war game activity has an excellent reputation and is a catalyst for showing many engineers to see red.
Seeing red, using offense to inform defense, helps us make the right development decisions. Perhaps just as important for developers is how red teams make security intensely personal - no one wants their code to be abused or broken by a peer!