The other day I was talking to someone about the next big project we’re working on around risk analysis and he used a phrase “knowledge management and translation” to describe what we’re trying to do. I think this is precisely correct.
Any effective comprehensive solution to the software security problem can be broken into the following three pillars:
Initially, there just wasn’t enough knowledge (which one can argue was due to the fact that there was no interest) in the software security domain to define what kind of training is needed for the development teams, what kind of processes are needed and what kind of tools are required. Nowadays, it seems as if there’s a whole lot of knowledge. Training courses of all sorts (online and in-person), guidance and code examples on how to fix security problems (correct and incorrect), processes and methodologies being developed by companies and academia as well as a whole range of tools that promise oh so very very much…
But do you need to go all out on security for all the applications we develop? You can’t… it’s just not feasible. For example, Microsoft internally has over two thousand line-of-business (LOB) applications and not all of them get the same level of scrutiny in terms of security. One application might show you the menu being served by cafeterias around the campus while another application might manage the company’s undisclosed financial information. Clearly, the two applications are in a different league as far as security requirements are concerned. Our job is to not burden the developments teams behind these apps but rather manage the security knowledge and provide them the information necessary to build an application with the acceptable level of security posture given their business objectives.
Knowledge translation is another key aspect. Consider a specific control you wish to implement. How does this control translate into a metric for executive management that need to determine whether they are SOX compliant or not? How does this control translate into a report to show trend analysis for security vulnerability for managers? How does this control translate into knowledge needed to implement and verify this control by the developers and testers?
Knowledge Management & Translation - Sounds easy, doesn’t it? J