"We don't have enough resources!" This phrase is heard more often than none to all managers. The better question is "Why do we need more?" Is it because of performance issues? Too much work? Inefficient processes? Well it depends ... lets examine the case presented by Michael Shema from NT Objectives (here).
In many organizations today, the budget for Security Teams is always lower than the rest. Mainly because management is unaware of the consequences or impacts related to unsecured applications or maybe it is just not a top priority. The bottom line with development shops is to create the application and get it out the door to the client. But what about security??? We'll do the best we can but I guess that is all we can do.
This usually involves security testing towards the end of the SDLC and maybe some remediation of the findings if there is enough time. More likely, these slip and the product is delivered with flaws that remain undiscovered. Lack of budget, is this the real issue?
The QA Team should be tasked with finding security issues. This is the ideal case, but they lack security expertise and time to complete normal testing. The Security Team should do it then among the many other things they are responsible for. When the Security Team finds the vulnerabilities, they need the Development Team to implement the fixes. Often times, the Development Team has moved onto a new project and is not really interested or has the resources to fix old problems. "We don't have enough resources!" But it needs to be done.
Endless cycle continues. More work. More work. More work. Lack of resources will always be a problem with a Defensive Approach.
What should we do? Streamline and integrate security processes into the SDLC! Keep the Security Team involved throughout development. Include a Security Design Review to address weaknesses and design flaws. It is easier said than done and unique to every organization. In this series, I will outline ideas and best practices that can be custom-fitted to your organization.
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment