Information security practitioners have been struggling for decades to figure out why we cannot make much progress. We train, we educate, and we preach, yet previous little seems to change. This is especially true in application security, where insecure coding and the vulnerabilities it causes continues to be rampant throughout the industry despite herculean efforts by security professionals.
Economics may be able to illuminate a path for us. It offers that when you wish to figure out why something happens, or fails to happen, you should start by mapping the incentives for each behavior.
In this series I’ll be discussing the incentive system around the application security space, with special emphasis on the developers, managers, and corporations that produce the code we use. We’ll talk about why insecure code is produced in the first place, and what, if anything, can be done to change that behavior. We’ll explore how developers are currently rewarded, what types of things they’re punished for, and why those systems exist naturally within businesses.
Some of the questions we’ll ask will include:
- How are developers currently incentivized?
- What are the financial incentives for producing features?
- What are the financial features for producing secure code?
- What are the penalties for failing to produce features?
- What the penalties for producing insecure code?
Using our insights from this, we’ll try to develop a practical system for improving security within development organizations.
About the Author
Daniel Miessler currently serves as Practice Principal within HP Fortify’s Fortify on Demand group. His responsibilities include application security testing, testing methodology development, enterprise security consulting, public speaking, and strategically growing the practice. Miessler works directly with the Director of Fortify on Demand (Ryan English) to ensure that the FOD practice is #1 in the cloud-based Application Security space. This involves activities ranging from testing key applications for our top customers, to managing and enhancing all testing methodologies, to presenting to and consulting with customer executive teams on how best to build out their security programs.
Other key activities include substituting for the Fortify CTO and GM of Enterprise Security Products for key executive briefings and helping product managers and senior management predict where market trends are heading in order to build future-oriented solutions for customers.
Latest posts by Daniel Miessler (see all)
- Mapping Application Security Incentives – New Series - September 21, 2014