J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

High ROI Security Activities

High ROI Security Activities

  • Comments 5

You can create effective security activities based on the high ROI engineering activities:

  • Security design guidelines
  • Security architecture and design review
  • Security code review
  • Security testing
  • Security deployment review


Rather than interspersing security in your existing activities, factor security into its own set of activities.  Factoring security into its own workstream of quality control, keeps the activities lean and focused.  Because you’re leveraging high ROI activities, you’re increasing the likelihood of influencing the shape of the software at strategic points.  You create an engineering system that helps you address security throughout your software development vs. up front or after the fact.   Using multiple activities vs. a single big bang effort up front or at the end creates an approach that scales up or down with project complexity and size.
 

The trick is to not over-invest at any one stage – stay leveraged.   Rule out losing strategies early in the analysis but still cast a wide net.  Progressively more costly analysis happens later and is much more likely to be on the correct path.   Don’t spend a lot on costly late activities until you’ve passed muster on much less costly activities.  Start with low cost, high roi activities, learn along the way, iteratively add more time and expense as you better understand what you are doing.
 

Simply factoring security into its own activities doesn’t produce effective security results.  However, factoring security into focused activities does create a way to optimize your security efforts, as well as create a lean framework for improving your engineering as you learn and respond.

  • Great stuff - keep it comming!!!
  • patterns & practices has released the Security Engineering Explained guidance which JD describes as High ROI Security Activities. Follow the URL for the announcement of this new guidance.
  • Lifecycle and prioritization seem like a key to successful implementation of Security Engineering. Why

  • I am not marketing guy, nor strategic one – I really do not know why I started to read this post - Why

  • Threat Modeling is a way to identify potential security issues to help you shape your application's security

Page 1 of 1 (5 items)