Security Language That Every One Understands
Although Michael Howard has some arguments about comparing software stuff with physical world I will take a chance on that one.
As for me, language is designed to serve as communication channel between the parties, English for two English speakers, C# for developer and machine, body language for all others :)
Now how many times you walked into restaurant and asked for today's specials and in response you heard something that does not even sound like food. Or when talking to a lawyer she throws on you words only advocates understand (or pretend to).
I constantly see the same story with security folks talking XSS, CSRF, Injection, and other beasts.
I found it pretty useful to present security stuff differently to different audiences, here is the breakdown:
- C level, executive guys care about business shape, they cannot care less about your XSS if you cannot show it impacts the biz
- Security folks are paranoids - everything is crackable and hackable (now you exactly know who I am - the paranoid). Show them exploitability of the XSS, if you/they cannot - then drop it, or at least give it low priority.
- Project managers - all they care is to be on time, on budget, on spec. If security stuff is not in the spec - the war is lost already... But if you show them that the effort to fix is minor, then there is some hope, not too big though...
RACI chart found here Fast Track – How to Implement the Guidance can be talking point too.
There are some more audiences, but I'll stop here to keep the post brief and readable - applying 4'th tip from 5 Tips for Blogging
Enjoy
Comments
- Anonymous
March 22, 2007
After reading Alik Levin's Security Language That Everyone Understands and Michael Howard's Security - Anonymous
April 27, 2007
When three years ago I started to practice Threat Modeling I thought it is most boring part of security - Anonymous
May 23, 2007
I am not marketing guy, nor strategic one – I really do not know why I started to read this post - Why