Partager via

High ROI Security Activities

  • Article

You can create effective security activities based on the high ROI engineering activities:

  • Security design guidelines
  • Security architecture and design review
  • Security code review
  • Security testing
  • Security deployment review

Rather than interspersing security in your existing activities, factor security into its own set of activities.  Factoring security into its own workstream of quality control, keeps the activities lean and focused.  Because you’re leveraging high ROI activities, you’re increasing the likelihood of influencing the shape of the software at strategic points.  You create an engineering system that helps you address security throughout your software development vs. up front or after the fact.   Using multiple activities vs. a single big bang effort up front or at the end creates an approach that scales up or down with project complexity and size.
 

The trick is to not over-invest at any one stage – stay leveraged.   Rule out losing strategies early in the analysis but still cast a wide net.  Progressively more costly analysis happens later and is much more likely to be on the correct path.   Don’t spend a lot on costly late activities until you’ve passed muster on much less costly activities.  Start with low cost, high roi activities, learn along the way, iteratively add more time and expense as you better understand what you are doing.
 

Simply factoring security into its own activities doesn’t produce effective security results.  However, factoring security into focused activities does create a way to optimize your security efforts, as well as create a lean framework for improving your engineering as you learn and respond.

Comments

  • Anonymous
    October 12, 2005
    Great stuff - keep it comming!!!

  • Anonymous
    October 18, 2005
    The comment has been removed

  • Anonymous
    May 07, 2007
    Lifecycle and prioritization seem like a key to successful implementation of Security Engineering. Why

  • Anonymous
    May 23, 2007
    I am not marketing guy, nor strategic one – I really do not know why I started to read this post - Why

  • Anonymous
    December 19, 2007
    Threat Modeling is a way to identify potential security issues to help you shape your application's security