Risk-Taking and Secure-Enough Software

January 24, 2018

Each of us involved in global Financial Services enterprises have risk management strategy and policy.  In action, those are supported and operationalized through a vast, dynamic, organic, many-dimensional web of risk management activities.

One facet of this activity involves the creation, acquisition, implementation, and use of risk-appropriate software. Sometimes this is abbreviated to simply “secure software.” In some forums I use the term “secure-enough software” to help highlight that there is some risk-related goal setting and goal achieving that needs to be architected, designed, and coded into software we create — or the same needs to be achieved by our vendors or partners when we acquire software.

As I have mentioned repeatedly in this blog, global financial services enterprises succeed through taking goal-aligned risks. Our attempts to live out that challenge are at best uneven.

Some software developers, architects, or some agile team member will zealously and enthusiastically take risks in their attempts to improve a given or a set of software quality characteristics. Others only reluctantly take risks.[1] In either case, the risks are only vaguely described (if at all) and the analysis of their appropriateness is opaque and un- or under-documented.

My experience is that too many personnel have little to no involvement, training and context on which to ground their risk analysis and risk acceptance decision making.  As a result of that gap, risk acceptance throughout any software development lifecycle is too often based on project momentum, emotion, short term self-promotion, fiction, or some version of risk management theater.

The magnitude of risk associated with this type of risk taking has only been enlarged by those attempting to extract value from one or another cloud thing or cloud service.

Those of us involved in secure software work need to clearly express the extent of our localized organization’s willingness to take risk in order to meet specific objectives, AND how the resulting behaviors align with published and carefully vetted enterprise strategic (risk management) objectives.

All of this leads me to the topic of risk appetite.

  • What needs to be included in a description of risk appetite that is intended for those involved in software development and acquisition?
  • Are there certain dimensions of software-centric risk management concern that need to be accounted for in that description of risk appetite?
  • Are there certain aspects of vocabulary that need to be more prescribed than others in order to efficiently train technical personnel about risk-taking in a global financial services enterprise?
  • Are there rules of thumb that seem to help when attempting to assess the appropriateness of given software-centric risks?

What do you think?

REFERENCES:

Risk Appetite and Tolerance Executive Summary.
A guidance paper from the Institute of Risk Management September 2011
https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf

[1] A similar phrase is found in the abstract of “Risk Appetite in Architectural Decision-Making.” by Andrzej Zalewski. http://ieeexplore.ieee.org/document/7958473/

 

Advertisements

‘Best Practices’ IT Should Avoid

June 20, 2017

12 ‘Best Practices’ IT Should Avoid At All Costs.

A colleague mentioned this title and I could not resist scanning the list.

They offer support to some of the funnier Dilbert cartoons, AND they should spark some reflection (maybe more) for some of us working in Global Financial Services.

1. Tell everyone they’re your customer
2. Establish SLAs and treat them like contracts
3. Tell dumb-user stories
4. Institute charge-backs
5. Insist on ROI
6. Charter IT projects
7. Assign project sponsors
8. Establish a cloud computing strategy
9. Go Agile. Go offshore. Do both at the same time
10. Interrupt interruptions with interruptions
11. Juggle lots of projects
12. Say no or yes no matter the request

If any of these ring local (or ring true), then I strongly recommend Bob Lewis’ review of these ‘best practices.’

If any of them make you wince, you might want to read an excellent response to Mr. Lewis by Dieder Pironet.

In any case, this seems like an important set of issues. Both these authors do a good job reminding us that we should avoid simply repeating any them without careful analysis & consideration.

REFERENCES:
12 ‘Best Practices’ IT Should Avoid At All Costs.
http://www.cio.com/article/3200445/it-strategy/12-best-practices-it-should-avoid-at-all-costs.html
By Bob Lewis, 06-13-2017

12 ‘best practices’ IT should avoid at all costs – My stance.
https://www.linkedin.com/pulse/12-best-practices-should-avoid-all-costs-my-stance-didier-pironet
By Didier Pironet, 06-19-2017


4 Agile Security Principles

August 30, 2016

Yesterday Citigal proposed a set of principles to complement the Agile Manifesto.  Authors of the Agile Manifesto emphasized:

  1. Individuals and interactions over processes and tools
  2. Working software over comprehensive documentation
  3. Customer collaboration over contract negotiation
  4. Responding to change over following a plan

Cigital offers four principles to help address inefficiencies that too often slow application security. They intent that these four principles will “guide and inspire us to build secure software in an agile way.”

  1. Rely on developers and testers more than security specialists.
  2. Secure while we work more than after we’re done.
  3. Implement features securely more than adding on security features.
  4. Mitigate risks more than fix bugs.

I assume that Citigal built their list in the Agile Manifesto model, as an expression of their valuing the items on the right — just not as much as they value the items on the left.  Not only do these principles align with and extend the original Agile Manifesto, it seems like they may also help information and software security organizations scale their efforts.  None of us has all the resources we need.  Sensitive use of the “Cigital four” listed above may help us build capacity…

These seem like an excellent resource for those leading secure software efforts as well as for architects, designers, product owners — anyone attempting to influence software quality while managing software induced risks to appropriate levels.

RESOURCES

Cigital: https://www.cigital.com/

The Agile Manifesto: http://agilemanifesto.org/

Cigital’s 4 Principals: https://www.cigital.com/resources/ebooks-and-whitepapers/agile-security-manifesto-principles/

There is no single “Agile” way: https://en.wikipedia.org/wiki/Agile_software_development#Agile_methods

 


%d bloggers like this: