Israeli Software

Yesterday I spent most of the day re-installing my own personal workstation in the office and then choosing and installing a new ant-virus (finally got fed up with the Symantec drek). In principle I shut down as many Windows services as I can - especially those that call out and/or listen on the Internet like the Windows DCOM service - so I shut it down and it paralyzed Office and the new anti-virus (I'm trying out Bit Defender - seems a lot better than Symandrek).

It got me thinking that most system vulnerabilities live in the cracks of system integration of components and packaged software yet most of the industry's efforts in software security are directed towards new software implementations.

If you are preparing to implement a packaged application for financial management, CRM, data mining or ERP something in the back of your mind probably says that the vendor's development organization is probably not a lot different than yours (although you hope they've thought through the security issues first)..

Here are a few ideas to help find the crud in the cracks:

• Inspect and penetration-test the system; assess infrastructure components, database interfaces and Web applications for vulnerabilities using Practical Software Assessment
  
• You need to identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
  

Well, I'm back on the warpath with endpoint security products after reinstalling my personal workstation in the office,after getting an error message from Windows XP SP 2 that a DLL from Symantec cannot be run because it has occupying memory reserved by Windows. Woh. A conversation with a colleage who is deeply involved in Microsoft Windows internals revealed the depth of Microsoft's efforts (probably redoubled now that Google bought Doubleclick) to prevent third-party software developers from getting close to the OS.

Who needs an anti-virus? If I have a decent personal firewall on my notebook and a well-maintained firewall in the office and I have a reliable mail provider and practice safe email (I use Google Applications and I automatically delete anything from people or subjects I am not familiar with).

Additional security controls do not necessarily reduce risk.

Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements.

Many firms see the information security issue as mainly an exercise permissions and identity management (IDM). However, it is clear from conversations with two of our large telecom customers that (a) IDM is worthless against threats of trusted insiders with appropriate privileges and (b) Since the IDM systems requires so much customization (as much as 90% in a large enterprise network) it actually contributes additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down. This is as true for a personal workstation as it is for a large enterprise network.

The question from a security perspective of an individual user is pretty easy to answer. Install a decent personal firewall (not Windows and please stay away from Symantec) and be careful.

For a business, the question is harder to answer because it is a rare company that has such deep pockets they can afford to purchase and install every security product recommended by their integrator and implement and enforce all the best-practice controls recommended by their accountants.

An approach we like is taking standards-based risk assessment and implementing controls that are a good fit to the business.

The PTA ISO 27001 library enables a risk analyst to provide a quantitative risk model to her client and construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers business environment.

More importantly, a company can execute a "gentle" implementation plan of controls concomitant with its budget instead of an all-or-nothing SOX checklist implementation that
massively erodes the competitiveness of the business.

There is absolutely no question that the build process is a pivot in the software quality process. Build every day, don't break the build and do a smoke test before releasing the latest version.

This morning, I installed the latest version of an extremely complex network security system from one of our vendors and lo and behold, one of the most basic functions did not work (and has not worked for about 3 revisions now apparently). Wrote a love letter to the customer service and QA managers and chided them for sloppy QA.

An article I saw recently, talks about the "confluence of compliance and governance" and the direct link to software quality. If you read Jim McCarthy's classic - "Dynamics of Software Development" you will remember the chapter called Don't break the build.

You may be using Linux make, Microsoft nmake or Apache Ant but in all cases, the build expertise of the person running the build is more important than the tool itself. the development team runs a daily build with a build-meister personally responsible for running the construction of a working system from all the components. If the build breaks he doesn't go home.

It is better to have a non-programmer do the smoke-test before the final release to manufacturing. A person outside the engineering team does not have the blinders or personal interest to ignore basic functionality that gets broken ( not to mention having motivation to one-up the engineers).

Anyhow, maybe there is still hope if the compliance gurus have discovered software quality. Read more here: Governance in the Application Development Life Cycle: Build Management

One of the ERM (enterprise risk management vendors) has a cute tag line - "compliance is just the minimum performance standard".

I could not agree more. Risk Assessments are complex and multi-dimensional models of assets, threat, vulnerability and control relationships, but with appropriate tools like Practical Threat Analysis or Fidelis XPS; they can help reduce a company's risk profile at a reasonable price tag.

12-24 months from now, I believe we will see a return to the Age of Reason, where rational risk management replaces blind compliance check lists - for 2 reasons:

1) Compliance projects have very little business value.

You spend money on compliance and then what?

2) Security is like fashion - both are cyclical industries.

Today everyone is clicking on Monica Bellucci in Google.

Tomorrow they will be clicking on Manuela Arcuri.

Today a lot of firms are doing Sarbanes-Oxley and ISO 27001 risk assessment projects and paying a steep price for regulatory compliance without a return on their investment. Tomorrow the fashion trend will be "driving to build business value from better risk management and governance"

Fashion and big money are a killer combination.

Imagine all those CxO's figuring out that they can reduce operational risk and save money by selecting the most cost-effective controls for better governance, risk and compliance management (and not just brainlessly implement the entire regulatory checklist ).

Enough people may figure out that compliance is a minimum but not sufficient requirement and once systematic risk assessment hits small to medium size companies in the supply chain the ridiculously priced compliance projects will be replaced by business looking for business value.

Why small to medium sized companies?

Because they don't have the deep pockets to implement all the security controls on the ISO 27001, PCI, SOX or GLBH checklist.

Because they don't care about keeping up with they regulators. They care about keeping their customers happy, protecting customer data and keeping the IT operation humming so that their business will run smoothly. All this at a reasonable price.

Who knows? It could still happen.

Monica Belluci ("I feel fine and comfortable with myself, but not because I'm beautiful") illustrated my point that corporate risk managers are like fashionistas who tapped out their plastic at Salvatore Ferragamo. After spending billions on Sarbanes-Oxley, institutions are seeking to mitigate risk at a cost that fits their business and their pocket. IBM call it Enterprise risk management: Aligning design principles to corporate goals Here are some guidelines for designing risk mitigation at the lowest possible cost (even before you send the vendors to purchasing)

• Be Quantitative: This helps take security decisions out of the realm of qualitative risk discussion and into the realm of business justification. It enables your business decision makers to state asset values, risk profile and controls in familiar monetary values. This is a good thing, unless you believe in the mushroom theory of management.

• Be Robust: Excel is just not enough. If you are an analyst doing a serious risk assessment, you know you need to preserve data integrity of complex multi-dimensional risk models . Excel spreadsheets are convenient but unstable and difficult to maintain.
  
• Be Versatile: Enable your business to reuse existing threat knowledge in new business situations and perform continuous risk assessment and “what-if” analysis on control scenarios without jeopardizing the integrity of the data.
  
• Be Effective: Got the most bang for your buck - i.e. most effective security countermeasures and their order of implementation.