Software security by problem setting

We had an interesting discussion with a friend of mine yesterday. The discussion was about corporate communication, its failures and difficulties. Well, that’s his job. My job is security. And today I suddenly realized that everything we discussed yesterday about communication was equally applicable to my situation simply due to the human nature.

We try and push security into the company, into the development, into management, into everything. And it does not work. Some people say that it does not work as well as we would like it to but it works a little. I say it does not work at all. All this fake interest in something that can be done instead of working – that is not an interest in applying security. That’s not what we are after.

But the problem is the sane here as everywhere else. Why would anyone want to have security? Why would my CEO want security? He wants some certificate that he can wave around at public speaking occasions and get recognition and, even better, money for it. Why would developers want security? They want to listen to funny stories about security to have a legitimate excuse not to work. But they do not want to implement any security, that’s extra work for them that is not recognized in any way. Why would my customers want security? It’s cumbersome, and annoying, and costly…

So we are stuck in pretty much the same situation: I am trying to give people a solution to the problem they do not have. Or they think they do not have. People are notoriously bad at recognizing future problems and seeing the not-so-immediate outcomes. And that’s why I am failing before I started. They will not accept it because it is not their problem.

And the main million dollar question remains: how to make software security to be their very personal and immediate problem? If I can figure it out, then and only then we will finally have software security.… -->

continue reading →