How is secure coding sold within enterprises?

[gunnar at arctecgroup.net (Gunnar Peterson)]

JD Meier had a good post recently on influencing without authority, which is the
position security finds itself in:

1. assume all potential allies
2. clarify goals and priorities
3. diagnose the allies world
4. identify relevant currencies
5. deal with relationships
6. influence through give and take

http://blogs.msdn.com/jmeier/archive/2007/03/09/influencing-without-authority.aspx

how does this translate to app security? well i think it means find
stakeholders/allies wherever you can. any group that is interested try to 1)
educate them about software risks and software security and 2) give them
tools/process they can bring to bear on the problem. specifically, legal teams
are generally very interested in risks, so i have seen several legal teams at
very large companies deploy parts of the OWASP legal project to good effect.
business analysts can be trained on how specify some security concerns in use
cases/user stories. qa teams can be educated on security specific testing tools
and techniques, architects can learn how to design reusable security services,
and so on. so whatever group that seems eager to get involved it makes sense to
engage, once security concerns are embedded in test plans and use cases, aligned
with business goals, the software security effort is not a one off from a
developer point of view.

find all allies, turn none away, arm them with knowledge, turn em loose.

the other issue is that there are many security services that you cannot expect
an app project to deliver on its own. skyscrapers should not have to have their
own fighter jets to protect against people flying planes into them, that is why
you have an air force. making the case for platform security can be hard, but
that is where the architects have to help (i seem to recall that security is a
nonfunctional requirement and that architects are supposed to own non
functional requirements). one of the reasons i like browser-based federated
identity is because you can externalize some authN code from the app, you get
stronger identity tokens across the wire, you don't have developers creating
their own authN code, and of course the users get SSO and SLO. this is like app
armor, in my view, a reference model for security services - improved security
mechanism, great usability, business value, and a simplified programming model.

-gp

Quoting "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>:

> Thanks for the response. I already own the book and understand how to engage
> vendors. Where I am seeking assistance is all the work that goes on within a
> large enterprise before these two things occur. The ideal situation for me
> would be to get my hands on the five to ten page Powerpoint slide deck that
> others who have blazed this path before me have used to sell the notion to
> their executives.
>
> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at owasp.org]
> Sent: Monday, March 19, 2007 5:06 PM
> To: McGovern, James F (HTSC, IT)
> Cc: SC-L
> Subject: Re: [SC-L] How is secure coding sold within enterprises?
>
>
> In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's
> "The Security Development Lifecycle" ISBN 9780735622142
>
> http://www.microsoft.com/mspress/books/8753.aspx
>
> It is simply the best text I've read in a long time.
>
> You may be interested in the work Mark Curphey et al is doing at his new
> start up. They launched an ISM portal a couple of weeks back.
>
> http://www.ism-community.org/
>
> If you're just after ideas on how to engage vendors, check out Curphey's blog
> for some nice insider posts:
http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/
>
http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/
>
http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/
> He ran Foundstone's services for a while, and built up a pretty good
> consultancy.
>
> The sort of metrics you're after are notoriously hard to find out in the
> wild. There's some folks capturing screenshots of enterprise dashboards. This
> may or may not help at all.
>
> http://dashboardspy.com/
>
> Thanks,
> Andrew
>
>
> On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)"
> <James.McGovern at thehartford.com> wrote:
>
>
>
> I agree with your assessment of how things are sold at a high-level but still
> struggling in that it takes more than just graphicalizing of your points to
> sell, hence I am still attempting to figure out a way to get my hands on some
> PPT that are used internal to enterprises prior to consulting engagements and
> I think a better answer will emerge. PPT may provide a sense of budget,
> timelines, roles and responsibilities, who needed to buy-in, industry
> metrics, quotes from noted industry analysts, etc that will help shortcut my
> own work so I can start moving towards the more important stuff.
>
>
>
> -----Original Message-----
> From: Andrew van der Stock  [ mailto:vanderaj at owasp.org]
> Sent: Monday, March 19, 2007 2:50  PM
> To: McGovern, James F (HTSC, IT)
> Cc:  SC-L
> Subject: Re: [SC-L] How is secure coding sold within  enterprises?
>
> There are two major methods:
>
>
>
>
> 1.    Opportunity cost / competitive advantage (the  Microsoft model)
>
> 2.    Recovery cost reductions (the model used by most  financial institutions)
>
>
>
> Generally,  opportunity cost is where an organization can further its goals
> by a secure  business foundation. This requires the CIO/CSO to be able to
> sell the business  on this model, which is hard when it is clear that many
> businesses have been  founded on insecure foundations and do quite well
> nonetheless. Companies that  choose to be secure have a competitive
> advantage, an advantage that will  increase over time and will win conquest
> customers. For example (and this is  my humble opinion), Oracle's security is
> a long standing unbreakable joke, and  in the meantime MS ploughed billions
> into fixing their tattered reputation by  making it a competitive advantage,
> and thus making their market dominance  nearly complete. Oracle is now paying
> for their CSO's mistake in not  understanding this model earlier. Forward
> looking financial institutions are  now using this model, such as my old
> bank's (with its SMS transaction  authentication feature) winning many new
> customers by not only promoting  themselves as secure, but doing the right
> thing and investing in essentially  eliminating Internet Banking fraud. It
> saves them money, and it works well for  customers. This is the best model,
> but the hardest to sell.
>
> The second  model is used by most financial institutions. They are mature
> risk managers  and understand that a certain level of risk must be taken in
> return for doing  business. By choosing to invest some of the potential or
> known losses in  reducing the potential for massive losses, they can reduce
> the overall risk  present in the corporate risk register, which plays well to
> shareholders. For  example, if you invest $1m in securing a cheque clearance
> process worth (say)  $10b annually to the business, and that reduces check
> fraud by $5m per year  and eliminates $2m of unnecessary overhead every year,
> security is an easy  sell with obvious targets to improve profitability. A
> well managed operational  risk group will easily identify the riskiest
> aspects of a mature company's  activities, and it's easy to justify
> improvements in those areas.
>
> The  FUD model (used by many vendors - "do this or the SOX boogeyman will get
> you")  does not work.
>
> The do nothing model (used by nearly everyone who  doesn't fall into the
> first two categories) works for a time, but can  spectacularly end a
> business. Card Systems anyone? Unknown risk is too risky a  proposition, and
> is plain director negligence in my view.
>
> Thanks,
> Andrew
>
>
> On 3/19/07 11:35 AM, "McGovern, James F  (HTSC, IT)"
> <James.McGovern at thehartford.com> wrote:
>
>
>
>
> I am attempting to figure out how other Fortune enterprises have  went about
> selling the need for secure coding practices and can't seem to  find the
> answer I seek. Essentially, I have discovered that one of a few  scenarios
> exist (a) the leadership chain was highly technical and  intuitively
> understood the need (b) the primary business model of the  enterprise is
> either banking, investments, etc where the risk is perceived  higher if it is
> not performed (c) it was strongly encouraged by a member of  a very large
> consulting firm (e.g. McKinsey, Accenture,  etc).
>
> I would like to understand what does the Powerpoint deck that  employees of
> Fortune enterprises use to sell the concept PRIOR  to bringing in consultants
> and vendors to help them fulfill the need. Has  anyone ran across any PPT
> that best outlines this for demographics where the  need is real but
> considered less important than other  intiatives?
>
>
> *************************************************************************
> This  communication, including attachments, is
> for the exclusive use of  addressee and may contain proprietary,
> confidential and/or privileged  information.  If you are not the intended
> recipient, any use,  copying, disclosure, dissemination or distribution is
> strictly  prohibited.  If you are not the intended recipient, please  notify
> the sender immediately by return e-mail, delete this communication  and
> destroy all  copies.
> *************************************************************************
>
>
>
>   _____
>
> _______________________________________________
> Secure  Coding mailing list (SC-L) SC-L at securecoding.org
> List information,  subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List  charter available at - http://www.securecoding.org/list/charter.php
> SC-L  is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com)
> as a free,  non-commercial service to the software security  community.
> _______________________________________________
>
>
>
>
>
>
>
>   _____
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________