Re: The problem is that user management doesn't demand security

["Kenneth R. van Wyk" <Ken () krvw com>]

On Monday 08 December 2003 17:11, Erik van Konijnenburg wrote:
> Treat security as one more aspect to be covered during requirement
> analysis, and you may have an opportunity to get a consious
> decision on security from end user management.

Yes, I also like that approach a lot.  And, it's an opportunity/challenge 
(depending on which side of the coin you're looking at) to educate the 
application owner about the business risks associated with the application.  
Ask questions _like_ "how much is this app worth to the company?", "how much 
will an outage of 1 {hour|day|week} cost the company in lost {revenue|
customers|reputation}?".  The answers to these questions should, at the very 
least, help drive the specifications and design.  I've seen this work quite 
well, FWIW.  Of course, it does require the development team to have an 
understanding of and appreciation for these issues, starting at the earliest 
phase of the development process--and that has to include the techies as well 
as management...

> Of course, if you're developing COTS software, you have a much
> tougher job selling security.

No doubt.  I think that that is at least in part due to the fact that someone 
developing special purpose enterprise-level applications has the benefit of 
knowing what the business process is that his app will be running -- hence, 
there's at least the potential to having a better understanding of the risks, 
and then preparing for them.  

That's not to say that special purpose apps are inherently better designed and 
implemented, but I believe that they often have an advantage, even if the 
developers are not explicitly aware of why.

Cheers,

Ken van Wyk