Is there a “black-box” security solution for the business?
What risks really count for your business? No question is more important for implementing an effective program of security countermeasures. The management, IT and security practioners cannot expect to mitigate risk effectively without knowing the sources and cost of threats to the organization.
We all depend on Web services and apps in order to run our business and make decisions, no matter how many employees we have. Whether we are self-employed and making wedding cakes or running a global business with 14,000 employees in 40 locations, we use information systems daily to buy, sell, pay and collect from customers.
The prevailing security model predicates defense in depth of our information systems and human operation.
The most common IT strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services with Checkpoint firewalls, detecting known application exploits with Imperva database firewalls, or by blocking entry of malicious code to the network with a Fortigate IPS.
Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “black-box” security solution for the business? The answer is clearly no.
A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.
Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.
Business Threat Modeling is based on four basic tenets:
- Risk analysis for production software
- Quantitative evaluation and financial justification
- Explicit communications between developers and security
- Sustain continuous risk reduction