"Checklist Manifesto" applicability to software security

[list-spam at secureconsulting.net (Benjamin Tomhave)]

I think there's lots of applicability. People - especially techies - cut
corners. The pressure is usually to get things done in a certain amount
of time, and then add on that people like to generally expend as little
energy as possible, and viola! you see the problem.

Of course, the flip side is that checklists in an area like IT can be
detrimental, too. PCI is a great example, where it never made a claim of
being comprehensive, yet is treated as such (and codified in State laws
for crying out loud), and then orgs still get hacked, leaving them to
wonder why the checklist didn't protect them.

Perhaps the key, then, is knowing that you need experience+procedures.
Procedures allow you to not screw up the mundane and routine, while
experience allows you to dynamically respond to issues that don't fit
the precise steps of the procedure. Part and parcel to this, then, is
needing to empower experienced professionals to be flexible and dynamic
in the vast of challenges rather than requiring them to rigidly adhere
to procedure in all instances.

Within appsec, QA and related security testing is probably a great
example. If all QA could be strictly proceduralized, then you could just
automate it all. However, testing doesn't always go as expected,
requiring a functioning brain to (hopefully) respond and adapt
accordingly. You probably need procedures for properly catching those
exceptions, but nonetheless, those procedures automatically create a
capacity for dynamic response.

Sorry, a bit rambly...

-ben

Jeremy Epstein wrote:
> Greetings,
>
> I was listening yesterday to an interview [1] on NPR with Dr. Atul
> Gawande, author of "Checklist Manifesto" [2].  He describes the
> problem that medical procedures (e.g., surgery) tend to have lots of
> mistakes, mostly caused because of leaving out important steps.  He
> claims that 2/3 of medical - or maybe surgical - errors can be avoided
> by use of checklists.  Checklists aren't very popular among doctors,
> because they don't like to see themselves as factory workers following
> a procedure, because the human body is extremely complex, and because
> every patient is unique.
>
> So as I was listening, I was thinking that many of the same things
> could be said about software developers and problems with software
> security - every piece of software is unique, any non-trivial piece of
> software is amazingly complex, developers tend to consider themselves
> as artists creating unique works, etc.
>
> Has anyone looked into the parallelisms before?  If so, I'd be
> interested in chatting (probably offlist) about your thoughts.
>
> --Jeremy
>
> [1] Listen to the interview at http://wamu.org/programs/dr/10/01/06.php#29280
> [2] "The Checklist Manifesto: How to Get Things Right", Atul Gawande,
> Metropolitan Books.
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________

-- 
Benjamin Tomhave, MS, CISSP
tomhave at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
Pareto Principle (a.k.a. ?The 80-20 Rule?): "For many phenomena, 80% of
consequences stem from 20% of the causes."
http://globalnerdy.com/2007/07/18/laws-of-software-development/