Smile. A certain large vendor loves the car (in)security analogy. I have come to despise it. There aren’t the same physics or costs involved with intelligent adversaries and we know how much we value our cars *occupants*, and the cost of running and insuring our cars is a simple calculation anyone can do.

I do fundamentally agree with the try-before-you-buy and testing prior to deployment, car analogy! Even pen-testing should be performed either in-house or externally as a form of quality assurance. It’s just tough to measure against baselines if there are none and the money is hard to quantify vs. building better code/services in the first place. Remember I agree with pen-testing however this may or may not reverberate with you: Ranum Schneier Point Counterpoint

Scale - not even in some of the larger Telcos and enterprises do you get a lab nor a Model or Development/Testing environment. This is tough for SME’s too. Also vendors are having a tough time getting/shipping units for try-before-you-buy…. money on the table huh? Things are moving too fast in my opinion!

Complexity - whether regression testing code or just checking independent functional parts of the whole system, time/cost is a huge issue still. Sometimes I think I am starting to sound like grandparents regarding quality! I wish time wasn’t an issue, though with agile development and the constant changing of specs and deliverables, the pace and weight with which the security dudes have to deal with, in trying to influence is a big problem. Some would say it’s just a quality/change management issue, not even an overall security issue. How to measure this quality, or lack thereof in the face of uncertainty/intelligent adversaries?

Cost - let me try a different tack on this. How do you know how much to spend on analysis and testing if you don’t know how much is resting on securing the systems effectively and to a tightly defined baseline, the possible complex knock on effects of a breach or outage, or the value of data/information/service you are trying to protect in the first place?

For me the test drive is better than nothing, but more applicable to and in an operational sense of internal departments streamlining and flexing purchasing power, and not revenue generating projects or more front of house based efforts that have deadlines, launch dates and an overwhelming rush to acquire new customer bases with each iteration of a service or product. Much of these choices are made on golf courses

There’s a point at which reality and time to market kicks in. The utopia of secure development and deployment is a constant battle against prevention which inevitably fails against intelligent adversaries. Detection and remediation, MTTR etc which also necessitates distributed content inventories I like and lean towards. Stuff is going to fail. Bad people attack assets. Will they fail gracefully. I am not saying things aren’t going to get better when we excercise our buying power, enforce compliance, disclosure and regulations/litigation ( very worried about litigation ) etc… but this can stifle the same things it was meant to protect… will we witness the death of technological darwinism.

Ranum has been saying this for years.. you can’t polish turds etc. Action vs Inaction, Pause and Think, Operational Testing. Proper change management.

#6 Ranum 6 Dumb Ideas

Small to medium businesses are the backbone of any economy, but find it terribly difficult to exercise their IT/Security buying power on a large enough scale. Who represents them and helps to stop them from making the mistakes you’ve posted about earlier. If it’s not their core business and they are vulnerable to the same threats as the big guys, but posses less expertise, then it’s time someone stood up for the little guys

D.