Re: [SC-L] How is secure coding sold within enterprises?
JD Meier had a good post recently on influencing without authority, which is the position security finds itself in: 1. assume all potential allies 2. clarify goals and priorities 3. diagnose the allies world 4. identify relevant currencies 5. deal with relationships 6. influence through give and take http://blogs.msdn.com/jmeier/archive/2007/03/09/influencing-without-authority.aspx how does this translate to app security? well i think it means find stakeholders/allies wherever you can. any group that is interested try to 1) educate them about software risks and software security and 2) give them tools/process they can bring to bear on the problem. specifically, legal teams are generally very interested in risks, so i have seen several legal teams at very large companies deploy parts of the OWASP legal project to good effect. business analysts can be trained on how specify some security concerns in use cases/user stories. qa teams can be educated on security specific testing tools and techniques, architects can learn how to design reusable security services, and so on. so whatever group that seems eager to get involved it makes sense to engage, once security concerns are embedded in test plans and use cases, aligned with business goals, the software security effort is not a one off from a developer point of view. find all allies, turn none away, arm them with knowledge, turn em loose. the other issue is that there are many security services that you cannot expect an app project to deliver on its own. skyscrapers should not have to have their own fighter jets to protect against people flying planes into them, that is why you have an air force. making the case for platform security can be hard, but that is where the architects have to help (i seem to recall that security is a nonfunctional requirement and that architects are supposed to own non functional requirements). one of the reasons i like browser-based federated identity is because you can externalize some authN code from the app, you get stronger identity tokens across the wire, you don't have developers creating their own authN code, and of course the users get SSO and SLO. this is like app armor, in my view, a reference model for security services - improved security mechanism, great usability, business value, and a simplified programming model. -gp Quoting "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]>: > Thanks for the response. I already own the book and understand how to engage > vendors. Where I am seeking assistance is all the work that goes on within a > large enterprise before these two things occur. The ideal situation for me > would be to get my hands on the five to ten page Powerpoint slide deck that > others who have blazed this path before me have used to sell the notion to > their executives. > > -Original Message- > From: Andrew van der Stock [mailto:[EMAIL PROTECTED] > Sent: Monday, March 19, 2007 5:06 PM > To: McGovern, James F (HTSC, IT) > Cc: SC-L > Subject: Re: [SC-L] How is secure coding sold within enterprises? > > > In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's > "The Security Development Lifecycle" ISBN 9780735622142 > > http://www.microsoft.com/mspress/books/8753.aspx > > It is simply the best text I've read in a long time. > > You may be interested in the work Mark Curphey et al is doing at his new > start up. They launched an ISM portal a couple of weeks back. > > http://www.ism-community.org/ > > If you're just after ideas on how to engage vendors, check out Curphey's blog > for some nice insider posts: > > http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/ > http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/ > http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/ > > He ran Foundstone's services for a while, and built up a pretty good > consultancy. > > The sort of metrics you're after are notoriously hard to find out in the > wild. There's some folks capturing screenshots of enterprise dashboards. This > may or may not help at all. > > http://dashboardspy.com/ > > Thanks, > Andrew > > > On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" > <[EMAIL PROTECTED]> wrote: > > > > I agree with your assessment of how things are sold at a high-level but still > struggling in that it takes more than just graphicalizing of your points to > sell, hence I am still attempting to figure out a way to get my hands on some > PPT that are used internal to enterprises prior to consulting engagements and > I think a better answer will emerge. PPT may provide a sense of budget, > timelines, roles and responsibilities, who needed
Re: [SC-L] How is secure coding sold within enterprises?
John, thanks for the response and I think you have an understanding of the essence of the problem in that current books don't cover the "selling" security aspects nor how things actually work in large corporations. One of the benefits to me seeing someone's deck that went before me is that I get to see and understand not only salient points, but also how they were presented in terms of order and emphasis. I of course could like most folks who are new to a space is to take a first shot at it and mercilessly iterate but I do think it is wise to figure out ways to leverage the work of my peers in other enterprises (of course I can return the favor on other initiatives) and only iterate based on local custom and not broader themes. In terms of job grade, no I am not an EVP nor am I a developer. I someone higher on the foodchain than most in that my responsibilities include strategic direction. Likewise, the issue in terms of selling is really about budget, but it is about first buy-in of all participants throughout the enterprise and secondly the ability to make the case once we collectively conclude that we need consulting assistance, the ability to go off preferred vendor list and make the right choice. Based on your comment, in your opinion, I would love to know which analysts should I quote and if you know of specific gems? In terms of keeping up with the Joneses, part of this requires the ability to understand what others are up to. From what I can tell from this list, I have only seen replies from two Fortune enterprises where the vast majority of other folks either have some government connection and/or employed by software vendors/consulting firms. One of my concerns with why ideas sometimes don't fly is not do to validity but the perception that if one waits it out, things will get better and more efficiency in terms of spend will emerge. In other words, one perception may be that focusing on secure coding is too early (Yes, the current description of why it is important is valid but it doesn't address the early concern) Got any URLs to any good architectural checklists? I have only ran across code-oriented ones. Anyone seen any good pictorial representations of roadmaps in this space? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Steven Sent: Monday, March 19, 2007 9:56 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? Andrew, James, Agreed, Microsoft has put some interesting thoughts out in their SDL book. Companies that produce a software product will find a lot of this approach resonates well. IT shops supporting financial houses will have more difficulty. McGraw wrote a decent blog entry on this topic: http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints-versus-microsofts-sdl/ Shockingly, however, I seem to be his only commentator on the topic. I think James will find Microsoft's literature falls terribly short of even the raw material required to produce the PPT he desires. Let's see what we can do for him. First: audience. I'm not sure of James' position, but it doesn't sound like he's high enough that he's got the CISO's ear now, nor that he's face-down in the weeds either. James, you sit somewhere in-between? James appears to work for an insurance company. Insurance companies do care about risk, but they're sometimes blind to the kinds (and magnitudes) of software risk their business faces. They fall in a middle ground between securities companies and banks. Second, length: If you're going after a SVP or EVP, James, I'd keep the deck to ~3-5 slides. 1) Motivate the problem, 2) Show your org's. status (as an application security framework) and, 3) show the 6mo., 9mo., 12mo. (maybe) roadmap. Depending on the SVP, another two slides comparing you to others might work, as well as a slide that talks in more detail about costs, deliverables, and resource-requirements, and value. Higher? I'd do two slides: 1) framework and 2) roadmap. The end. Place costs and value on the roadmap. What about content? Longer decks I've seen (or helped create) have begun with research from analyst firms, or with pertinent headlines, to motivate the problem (couched as FUD if you're not careful) on slide one. Still, you'd be wise to pick fodder that will appear to the decision maker's own objectives. His/her objectives may be in pursuit of differentiation/opportunity or risk reduction, as Andrew said, or (more probably) they're pursuant to a more mundane goal: drive down (or hold constant) security cost while driving up the effectiveness of the spending. To this end, the decks I've seen quickly moved beyond motivation into solution. Here, you have to begin thinking about your current o
Re: [SC-L] How is secure coding sold within enterprises?
tance: Do your applications have available a custom implementation of input validation routines built on top of Struts' Validator framework? Ask about its use in the architectural checklist. Propose to measure penetration testing results in the input filtering class and correlate it with checklist answers. As you collect data you'll be building (or possibly but not hopefully destroying) the case for your expanded checklist and the savings it provides. There are a host of hidden measures embedded in this example, each shining light in a particular direction. Make sure each and every initiative can make use of such measures as justification. Well, this is long enough for now. If there are topics you'd like me to enumerate more fully, or if I've missed something, shoot me an email. Hope this helps, and sorry I didn't just attach a PPT ;) John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F Blog: http://www.cigital.com/justiceleague http://www.cigital.com Software Confidence. Achieved. On Mar 19, 2007, at 4:12 PM, McGovern, James F ((HTSC, IT)) wrote: I agree with your assessment of how things are sold at a high- level but still struggling in that it takes more than just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may provide a sense of budget, timelines, roles and responsibilities, who needed to buy- in, industry metrics, quotes from noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff. -Original Message- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: Opportunity cost / competitive advantage (the Microsoft model) Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/ CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle’s security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO’s mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank’s (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company’s activities, and it’s easy to justify improvements in those areas. The FUD model (used by many vendors - “do this or the SOX boogeyman will get you”) does not work. The do nothing model (used by nearly everyone who doesn’t fall into the first two categories) works for a time, but can spectacularly end a business. Card Systems anyone? Unknown risk is too risky a proposition, and is plain director negligence in my view. Thanks, Andrew On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding practices and can't seem to find the answer I se
Re: [SC-L] How is secure coding sold within enterprises?
Thanks for the response. I already own the book and understand how to engage vendors. Where I am seeking assistance is all the work that goes on within a large enterprise before these two things occur. The ideal situation for me would be to get my hands on the five to ten page Powerpoint slide deck that others who have blazed this path before me have used to sell the notion to their executives. -Original Message- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 5:06 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's "The Security Development Lifecycle" ISBN 9780735622142 http://www.microsoft.com/mspress/books/8753.aspx It is simply the best text I've read in a long time. You may be interested in the work Mark Curphey et al is doing at his new start up. They launched an ISM portal a couple of weeks back. http://www.ism-community.org/ If you're just after ideas on how to engage vendors, check out Curphey's blog for some nice insider posts: http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/ http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/ http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/ He ran Foundstone's services for a while, and built up a pretty good consultancy. The sort of metrics you're after are notoriously hard to find out in the wild. There's some folks capturing screenshots of enterprise dashboards. This may or may not help at all. http://dashboardspy.com/ Thanks, Andrew On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff. -Original Message- From: Andrew van der Stock [ mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: 1. Opportunity cost / competitive advantage (the Microsoft model) 2. Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle's security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO's mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank's (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company's activities, and it's easy to justify impr
Re: [SC-L] How is secure coding sold within enterprises?
s long enough for now. If there are topics you'd like me to enumerate more fully, or if I've missed something, shoot me an email. Hope this helps, and sorry I didn't just attach a PPT ;) John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F Blog: http://www.cigital.com/justiceleague http://www.cigital.com Software Confidence. Achieved. On Mar 19, 2007, at 4:12 PM, McGovern, James F ((HTSC, IT)) wrote: I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff. -----Original Message----- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: Opportunity cost / competitive advantage (the Microsoft model) Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/ CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle’s security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO’s mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank’s (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company’s activities, and it’s easy to justify improvements in those areas. The FUD model (used by many vendors - “do this or the SOX boogeyman will get you”) does not work. The do nothing model (used by nearly everyone who doesn’t fall into the first two categories) works for a time, but can spectacularly end a business. Card Systems anyone? Unknown risk is too risky a proposition, and is plain director negligence in my view. Thanks, Andrew On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding practices and can't seem to find the answer I seek. Essentially, I have discovered that one of a few scenarios exist (a) the leadership chain was highly technical and intuitively understood the need (b) the primary business model of the enterprise is either banking, investments, etc where the risk is perceived higher if it is not performed (c) it was strongly encouraged by a member of a very large consulting firm (e.g. McKinsey, Accenture, etc). I would like to understand what does the Powerpoint deck that employees of Fortune enterprises use to sell the concept PRIOR to bringing in consultants and vendors to help them fulfill the need. Has anyone ran across any PPT that best outlines this for demograph
Re: [SC-L] How is secure coding sold within enterprises?
In terms of creating a SDLC, pop out to Borders and get Howard and Lipner¹s ³The Security Development Lifecycle² ISBN 9780735622142 http://www.microsoft.com/mspress/books/8753.aspx It is simply the best text I¹ve read in a long time. You may be interested in the work Mark Curphey et al is doing at his new start up. They launched an ISM portal a couple of weeks back. http://www.ism-community.org/ If you¹re just after ideas on how to engage vendors, check out Curphey¹s blog for some nice insider posts: http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application- pen-testers/ http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-r eviewers/ http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-sec urity-folks/ He ran Foundstone¹s services for a while, and built up a pretty good consultancy. The sort of metrics you¹re after are notoriously hard to find out in the wild. There¹s some folks capturing screenshots of enterprise dashboards. This may or may not help at all. http://dashboardspy.com/ Thanks, Andrew On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: > I agree with your assessment of how things are sold at a high-level but still > struggling in that it takes more than just graphicalizing of your points to > sell, hence I am still attempting to figure out a way to get my hands on some > PPT that are used internal to enterprises prior to consulting engagements and > I think a better answer will emerge. PPT may provide a sense of budget, > timelines, roles and responsibilities, who needed to buy-in, industry metrics, > quotes from noted industry analysts, etc that will help shortcut my own work > so I can start moving towards the more important stuff. >> >> -Original Message- >> From: Andrew van der Stock [mailto:[EMAIL PROTECTED] >> Sent: Monday, March 19, 2007 2:50 PM >> To: McGovern, James F (HTSC, IT) >> Cc: SC-L >> Subject: Re: [SC-L] How is secure coding sold within enterprises? >> >> There are two major methods: >> >> >> 1. Opportunity cost / competitive advantage (the Microsoft model) >> 2. Recovery cost reductions (the model used by most financial institutions) >> >> Generally, opportunity cost is where an organization can further its goals >> by a secure business foundation. This requires the CIO/CSO to be able to >> sell the business on this model, which is hard when it is clear that many >> businesses have been founded on insecure foundations and do quite well >> nonetheless. Companies that choose to be secure have a competitive >> advantage, an advantage that will increase over time and will win conquest >> customers. For example (and this is my humble opinion), Oracle¹s security is >> a long standing unbreakable joke, and in the meantime MS ploughed billions >> into fixing their tattered reputation by making it a competitive advantage, >> and thus making their market dominance nearly complete. Oracle is now paying >> for their CSO¹s mistake in not understanding this model earlier. Forward >> looking financial institutions are now using this model, such as my old >> bank¹s (with its SMS transaction authentication feature) winning many new >> customers by not only promoting themselves as secure, but doing the right >> thing and investing in essentially eliminating Internet Banking fraud. It >> saves them money, and it works well for customers. This is the best model, >> but the hardest to sell. >> >> The second model is used by most financial institutions. They are mature >> risk managers and understand that a certain level of risk must be taken in >> return for doing business. By choosing to invest some of the potential or >> known losses in reducing the potential for massive losses, they can reduce >> the overall risk present in the corporate risk register, which plays well to >> shareholders. For example, if you invest $1m in securing a cheque clearance >> process worth (say) $10b annually to the business, and that reduces check >> fraud by $5m per year and eliminates $2m of unnecessary overhead every year, >> security is an easy sell with obvious targets to improve profitability. A >> well managed operational risk group will easily identify the riskiest >> aspects of a mature company¹s activities, and it¹s easy to justify >> improvements in those areas. >> >> The FUD model (used by many vendors - ³do this or the SOX boogeyman will get >> you²) does not work. >> >> The do nothing model (used by nearly everyone who doesn¹t fall into the >> first two categories) works for a time, but can spectacularly
Re: [SC-L] How is secure coding sold within enterprises?
I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff. -Original Message- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: 1. Opportunity cost / competitive advantage (the Microsoft model) 2. Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle's security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO's mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank's (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company's activities, and it's easy to justify improvements in those areas. The FUD model (used by many vendors - "do this or the SOX boogeyman will get you") does not work. The do nothing model (used by nearly everyone who doesn't fall into the first two categories) works for a time, but can spectacularly end a business. Card Systems anyone? Unknown risk is too risky a proposition, and is plain director negligence in my view. Thanks, Andrew On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding practices and can't seem to find the answer I seek. Essentially, I have discovered that one of a few scenarios exist (a) the leadership chain was highly technical and intuitively understood the need (b) the primary business model of the enterprise is either banking, investments, etc where the risk is perceived higher if it is not performed (c) it was strongly encouraged by a member of a very large consulting firm (e.g. McKinsey, Accenture, etc). I would like to understand what does the Powerpoint deck that employees of Fortune enterprises use to sell the concept PRIOR to bringing in consultants and vendors to help them fulfill the need. Has anyone ran across any PPT that best outlines this for demographics where the need is real but considered less important than other intiatives? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by re
Re: [SC-L] How is secure coding sold within enterprises?
There are two major methods: 1. Opportunity cost / competitive advantage (the Microsoft model) 2. Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle¹s security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO¹s mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank¹s (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company¹s activities, and it¹s easy to justify improvements in those areas. The FUD model (used by many vendors - ³do this or the SOX boogeyman will get you²) does not work. The do nothing model (used by nearly everyone who doesn¹t fall into the first two categories) works for a time, but can spectacularly end a business. Card Systems anyone? Unknown risk is too risky a proposition, and is plain director negligence in my view. Thanks, Andrew On 3/19/07 11:35 AM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: > I am attempting to figure out how other Fortune enterprises have went about > selling the need for secure coding practices and can't seem to find the answer > I seek. Essentially, I have discovered that one of a few scenarios exist (a) > the leadership chain was highly technical and intuitively understood the need > (b) the primary business model of the enterprise is either banking, > investments, etc where the risk is perceived higher if it is not performed (c) > it was strongly encouraged by a member of a very large consulting firm (e.g. > McKinsey, Accenture, etc). > > I would like to understand what does the Powerpoint deck that employees of > Fortune enterprises use to sell the concept PRIOR to bringing in consultants > and vendors to help them fulfill the need. Has anyone ran across any PPT that > best outlines this for demographics where the need is real but considered less > important than other intiatives? > > > * > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution is > strictly prohibited. If you are not the intended recipient, please notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > * > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.
[SC-L] How is secure coding sold within enterprises?
I am attempting to figure out how other Fortune enterprises have went about selling the need for secure coding practices and can't seem to find the answer I seek. Essentially, I have discovered that one of a few scenarios exist (a) the leadership chain was highly technical and intuitively understood the need (b) the primary business model of the enterprise is either banking, investments, etc where the risk is perceived higher if it is not performed (c) it was strongly encouraged by a member of a very large consulting firm (e.g. McKinsey, Accenture, etc). I would like to understand what does the Powerpoint deck that employees of Fortune enterprises use to sell the concept PRIOR to bringing in consultants and vendors to help them fulfill the need. Has anyone ran across any PPT that best outlines this for demographics where the need is real but considered less important than other intiatives? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___