I was trying to explain software security to a friend the other day. The friend knew a bit about network security and figured firewalls were the beginning and end of computer security.
I ended up using a bank analogy. The bank's security division understands the bank's assets and has the expertise to lay out the bank--where to put exits and entrances, surveillance cameras and guards, tellers, bank managers, and bathrooms--to reduce the risk of theft. They also understand the security properties of safes, and they figure out what type of safes are needed and where they should go.
In contrast to the bank's security group, a software security team would be similar to a safe-security group at the safe manufacturer. They help with the design, construction, and testing of safes so that the bank's security group has some assurance that the safe they are installing has the security properties needed for the type of asset the safe will hold and its location in the bank. Both of these capabilities are necessary to produce an appropriately secure bank.
Unfortunately, most of the software we use wasn't constructed with the attention to security that goes into building a safe. I think that needs to change. We need to get to the point where we think of software, especially software that handles and stores sensitive information like passwords, credit card numbers, and health records, as a vault. To get there, we need software security people helping out with the design, construction, and testing of software.
Comments