APP SECURITY: New Year’s Resolutions & the Coming Holiday Hangover

HolidayFast forward to January 6th, 2014, the first Monday of the first full week of the New Year – the vapor trail from the parties, great food and drink has dissipated as the reality of a new year with new challenges sets in with your first cup of office coffee. 

Your boss enters the room and says, “Happy New Year, sport! What are your thoughts on changing our cyber/application security strategy this year as our department’s New Year’s resolution?” STOP! Before you answer with a knee jerk response like, “Dude, seriously … the coffee hasn’t hit my system yet to start thinking in esoteric terms and the champagne from New Year’s Eve hasn’t completely worked its way out of my system!”  What you should say is, “Chief, culture eats strategy for lunch!” 

The most successful companies of our time have achieved greatness from executing strategies driven by a culture built on fundamental core principles.  Approaching application security with a strategy-only approach will achieve results, but without having a culture of security woven into the fabric of your company, those results will be short lived. 

I will briefly discuss the six (6) fundamentals of building a secure culture in your company. None of these are absolute, and your mileage will vary depending on your company’s uniqueness. One other disclaimer: I’m briefly discussing each of these building blocks but each requires much more context than a mention in a blog, but let’s have some fun anyway.    

PEOPLE – You’re only as good as your people, and having an effective human capital strategy is essential. Many programmers and managers struggle to understand the difference between secure coding and regular programming. Establishing a continuing education program for all employees starts to remove this layer of fog and arms your most valuable resource with critical knowledge to start building in security from the grass roots. Don’t forget to build in incentives to reinforce the importance of flawless execution, and most importantly, make it fun by adding a sprinkle of gamification! 

PROCESS – You don’t know where you’re going if you don’t know where you’ve been! Having a process that is measurable, repeatable and predictable is important in laying your foundation of a secure culture. Having a process in place allows you to experiment by plugging in different concepts and ideas to see their material effect on the outcome to our security posture. This building block is not a light switch you can turn on if you don’t have it and may require some long-term planning, but is very important. 

TECHNOLOGY – Don’t stress about picking the right application security analysis tool, just pick one and go with it. Getting the technology right in the beginning isn’t as important as setting the expectation throughout the organization that automation will be part of your secure culture operations without exception. 

STANDARDS – Don’t use aviation standards to build mobile apps! There are plenty of published security standards out there. Pick the one that suits your company, product and market and spoon feed these standards to your engineering team gradually over time. It’s a marathon not a sprint. 

DATA MANAGEMENT – This is where the fun starts. You might be a little tired when you get here, but when you start to see the data being generated from all of these building blocks, the real work begins. Too many organizations fail by patting themselves on the back at this point, stopping to admire what they have accomplished. But that’s not going to be you! Understanding the data and turning the identified security risks into opportunities for your company to catapult ahead of the competition is the battle cry of carpe diem! 

TRANSPARENCY – Providing different views of the same security data to executives and engineers is absolutely essential. Understanding the importance of this information and, even more importantly, collaborating to take advantage of opportunities is the business benefit of having a culture centered around security, ensuring all stakeholders are apprised of its current status. 

So, consider yourself totally prepared to have a rocking New Year’s Eve, because now you’re armed with information. When your boss, Skippy, asks you about a sound application security strategy, you can hit a homerun and get back to recovering from your holiday hangover!

Happy Holidays and Cheers!

Rob Cross
PSC, Vice President              


Written by Rob Cross at 05:00
Categories :

The Next Generation of Hackers? Assess Your Application Security Now!

Baby With iPadToday’s youth … tomorrow’s threat? It’s absolutely mindboggling that kids today know how to swipe an iPad before they learn how to talk or write. Don’t you agree?

Computers, handhelds, software – the interconnectedness once foreign to people like me are natural appendages to the future generation. Why am I bringing this up? The systems and software designed today were done so by a generation that had to painfully adjust their lives to the constant interruption or disruption of technology. We have integrated ourselves into this new reality time and time again.

However, tomorrow’s generation is integrated with technology almost from birth. Sociologically, we are at a disadvantage because this younger generation will easily find ways to compromise the systems we have designed using outdated technology paradigms. Perhaps this paradox is nothing new; however, the rate of technology invention will not outpace the rate of human innovation and the ability to compromise technology in the decades to come. If you don’t believe it, check out the news story below and try to catch your jaw from hitting the floor.  

British schoolboy, 16, 'took part in world's biggest cyber attack and was found to have significant amount of cash flowing through bank account

Man at ComputerAdding some more logs to the fire, there are a number of companies beginning to dabble in the “digital black arts” (aka software development), whom traditionally have not done so in the past, such as consumer goods companies.  Additionally, there are many more companies integrating software (Open Source or Commercial off the Shelf) into their environment. But, these companies often do not understand the associated risks that come with these initiatives. The question becomes: How can these companies manage these changes and manage risk?

Like any good problem, the solution requires a holistic and layered approach, starting with cyber security. There are many opinions out there regarding the layers of security needed to sufficiently address this growing threat; I, however, will just discuss one: application security.    

It’s always interesting to me when we receive the phone call from companies, who are known to be the leader in their market, because they have a “situation.” The conversation usually starts off with a quick signing of an NDA, and then we’re immersed into the details of how the company has been compromised from not proactively paying attention to application security; and, before they go public, they need to make sure a solution is in place.

I have enormous amounts of respect for these companies, and I’m in awe of their incredible ability to execute ultra-complex, go-to-market strategies and build empires. However, when it comes to making sure their digital assets are locked down, they have fallen short and are unknowingly playing the cyber equivalent of Russian roulette. The C-level executives in these situations are typically speechless, having found out that after the millions of dollars and years of hard work spent building a loyal and strong customer base, it has rapidly started to erode in less time than it took my old Atari 2600 to boot up and load Pac-Man. 

The cyber threat is here and it’s not going away. In fact, it’s growing at a rate that is mind blowing, and with new generations in the pipeline growing up with technology integrated from the start into their daily lives, we’re in for a ride. 

iPhone AtariDoing due diligence in having an independent come into your company to assess your application security readiness needs to be part of the corporate strategy as a planned, proactive activity. Your customers and shareholders deserve nothing less. It’s not the silver bullet per se, but part of a bigger holistic cyber security strategy that will at least keep your company in good standing and perhaps a half-step ahead of the bad guys in cyberspace.

By the way, this photograph is such a violation of my nostalgic memories. How dare someone comingle an iPhone with my beloved Atari 2600. As we would say back then, “Dude that’s totally cool … NOT!” 

Rob Cross
PSC, Vice President              

Written by Rob Cross at 05:00
Categories :

Is Your Software a Lamborghini or a Yugo?

LamborghiniWhen I was a kid, my bedroom walls were plastered with posters of Lamborghinis (mixed in with the occasional poster of your favorite eighties hair band). The image and branding of Lamborghini is the epitome of performance and sex appeal in the most extreme sense. It turns out that the love for these cars is genetic and my 12 year old son shares my obsession.

This slick image is something we all try to achieve with the things we build. Our customers always have the requirements to build their software so it’s fast ... like “Lamborghini” fast!  However, often times they find in the end they really built something else …

Enter the Yugo! If it were, as my 12 year old would say, “opposite day,” then you would Yugobe driving one of these cars instead, the shining star for the automotive industry where economical violently crashes into ugly. I believe these cars went from zero to sixty in 30 minutes, with your friends giving you a push start. Fred Flintstone and Barney Rubble could peddle their car faster.  

Unfortunately, sometimes our software shares the same characteristics of a Yugo, and we start to ask the question, “How did we get here?”

Most of the time our customers blame having Lamborghini speed in their software process on time-to-market demands, which causes them to push off performance until the end (because features are more important). In the worst of cases, by the time our customers come to this conclusion they realize the impending decision of COMPROMISE. In other words, the software may have the sex appeal of a Lamborghini, but when you step on the gas she doesn’t go. Most of the time they have hard wired performance into their architecture and to correct it is major surgery and very expensive. However, all is not lost!  Software, unlike actual cars, can be “bent” and changed much easier and in a lot of ways that have a material impact to its performance.  

From our experience as a company, performance tuning software is a unique capability and not every software organization has the correct mix of talent, technology and, most importantly, time to pull it off themselves. What we also find is the definition of performance varies across projects and even with projects across engineers. It’s understanding the definition the market deems most important and how to focus on those targets as the priority; the rest of the performance requirements can be addressed over several releases. Another key factor is the economics of this activity. Providing fixes that first emphasize the maximum improvement to performance with the lowest impact to architecture is the priority.

We know that it’s hard to take a step back from the wonderful work you created and realize you began the journey wanting to build something sexy and fast, but unfortunately today was opposite day. The team’s intention was absolutely in the right place, but the speed of process and other competing priorities interfered with our dream of building our Lamborghini. Rest assured, there are ways to engineer performance back into the software, so in the end you may not have the Lamborghini, but you definitely won’t have a Yugo, instead you might end up with …  

Yup … you knew this is where I was going.  She’s not sexy and she’s not ugly either. She’ll do zero to sixty a heck of a lot faster than both a Yugo and Fred and Barney. Lots of utility and incredibly reliable with mass market appeal. Yes, folks, this is what most of us (including me on weekends) drive.  

Why should our software be any different?  

Rob Cross
PSC, Vice President              

Written by Rob Cross at 05:00
Categories :

Check Your Software’s Cholesterol Level!

Rob Cross I don’t believe it! I have high cholesterol? But, I exercise every day, take my vitamins and eat low fat and low sugar foods! How is this possible? But, the results don’t lie. One simple blood test can tell someone a lot about what they thought was true, introducing a new reality.  

Many of our customers have the same reaction when we first expose them to application development metrics (ADM), introducing them to a new reality. The reaction is usually something close to, “But, I use Agile methods! I bought my engineers the latest and greatest software tools! I even invested in sending my staff to training to become black belts or something like that! This is outrageous!” 

In this case, the simple blood test was a forensic audit of the code. Just like the example blood test above, ADM analytics provide organizations with a good dose of reality in terms of what “ACTUAL” process they are following, not what they profess to follow. The only artifact in sync with your true process is the result of it (the code) and ADM analytics offer reality – and for many, an excellent opportunity to eliminate waste and capitalize on things that are working and providing savings and benefits back to the organization’s business objectives.  

Don’t misread this post; I believe in process and not to invest in it would be a big mistake. However, I also believe that not checking how you are executing on that process through some simple “blood tests” or ADM analytics would equally be a big mistake. Building a tangible product using manufacturing processes invented by Henry Ford a century ago is very different from building bits and bytes in cyberspace. One difference is that as an executive, I can walk down to the factory line and pick up the tangible product and feel it, measure it, use it and eat it (if you work for Krispy Kreme – that would be fun).

Software doesn’t always offer these advantages. Instead, we employ some practices and beliefs such as “best efforts” and tools and testing that will identify potential issues. Reality is that management, customers, competition and market demands change our actual implementation of process, mostly in negative ways. Once we accept this fact, then we can accept the reality that those processes and tactics that we believe are there to identify and mitigate such risks have been significantly diluted. What’s my point?      

There are many competing demands on organizations, but the one that usually wins is “go faster.” This decision tends to force organizations to shortcut process, which introduces unknown risks (i.e. technical debt) into the process, which manifests in the code. Just like you can’t fit 10 pounds of sugar in a five pound bag, you can’t fit five months of software in a four month cycle and still hit all your targets. By giving yourself a “blood test,” an ADM audit, you will gain transparency into the actual process your organization followed at the consequence of speed – and the opportunity is to correct the mistakes, learn, adjust and keep moving forward!

Next month I’m going to discuss what it might be like to work for Krispy Kreme and being able to eat your work in process!

Rob Cross
ProServices, Vice President

Written by Rob Cross at 06:44
Categories :

Software Quality Management – tools management versus data management … that’s the question!

Rob CrossI’m going to reveal a very personal secret to all of the folks following this blog; promise not to tell anyone okay? But, I’m really a dyed in the wool sales guy! Whoa! I’m glad I got that off my chest.

Call me biased (that’s all you’re allowed to call me), but sales people are one of our greatest assets to understand the pulse of the marketplace because they’re on the front lines punching at the 500lb marshmallow every day, understanding our customers’ pain and selling solutions. I have been involved in selling software quality solutions across industries for 14+ years and being on the front lines for that long, I’ve noticed some things that perhaps you might find interesting. 

My very first blog a couple of months ago (“An Important Question to Ask after a Very Public Software Disaster”) posed a question that I only partially answered regarding data management versus tools management.  My current company, PSC, offers independent software security and quality inspections. I mention this because our main competitors are my customers, who perceive that they do the same thing that we do. 

One observation over the years is that most executives believe just buying software tools for their engineers is good enough to identify, manage and mitigate software risks. I call this strategy tools management. This entails keeping the engineers happy by allowing them to play with latest new widget, or allow them to download free ones at will, or in worst case scenarios, to allow them to spend $100,000(s) on a big software solution with big promises of ROI. The good news is these folks understand the value of automation, the bad news is they have not realized the potential value because they don’t have a data management strategy.

I know what you’re thinking, “What are you talking about … what is a data management strategy?”  In the majority of accounts we have done business with, those who have automated tools are unable to determine the following:

  • Are engineers using the tools?
  • Do engineers understand how to assess the data output and correlate it to risks that are important to the corporation to identify, measure, manage and mitigate?
  • The results of this data management process, in order to provide them to various stakeholders within the organization.   

Finally, and this is the killer question, “Does anyone guarantee the integrity of the resulting data so the business can make critical tactical and strategic decisions based upon the results?”     

I know this sounds like it’s costly to implement internally, and you’re right, quality does not come cheap – but neither does ignoring this fundamental data management process, resulting in software glitches in the field and causing damage to your company’s brand and reputation. Take Chrysler for example, three (3) major recalls in the past three (3) months due to software errors in their vehicles. Ouch! 

The easy part is picking a tool; the hard part is correctly integrating it into your software development lifecycle, thinking through a sound data management strategy to turn risks into opportunities, and being able to answer with confidence the above questions. 

I will be sharing with you more thoughts regarding tools versus data management because there are more dimensions to this issue. It’s an exciting area of discussion within the industry because, believe it or not, software risk analytics or intelligence is an up-and-coming area of growth with some exciting technologies coming to market. 

Now that I have revealed to you my little secret and you understand my perspective from the front lines, I have to be true to my knitting as a sales professional with a plug for my company. Our customers have documented through case studies that we provided data management and analytic services to them at 1/3 the cost in comparison to their internal resources with a historical 9.5x ROI. Now, c’mon … you know that’s impressive!

I would love to talk to you about the details of these studies and the services we can provide through David Consulting Group, so feel free to leave a comment below!  For the rest of you, I will be discussing other dimensions of this topic in future posts, so you’ll have to be patient until next month. Until then, remember, it’s not the tools, it’s the data! 

Rob Cross
ProServices, Vice President              




Written by Rob Cross at 05:00
Categories :

Subscribe to Our Newsletter
Join over 30,000 other subscribers. Subscribe to our newsletter today!