Security Evangelist or Zealot – Where to Draw the Line

[ This article was originally published here ]

Security Evangelist of Zealot – Where to Draw the LineThe Bean Counters

Many years ago, a car was manufactured with a design flaw resulting in the gas tank catching fire when the car was struck from behind. Many deaths stemmed from this mechanical flaw. It was later revealed during subsequent wrongful death court cases, that the vehicle’s manufacturer was aware of the problem, had performed a risk/benefit analysis, and determined the cost to fix the problem would exceed any penalty levied by the courts.

As a software security professional, you may question – what type of software could result in a risk to life? Imagine, however, a faulty calculation in medical device’s software, possibly causing death if the calculation was significantly incorrect. Or aviation software, where the failure can result in numerous deaths. Additionally, agricultural software controlling the amount of pesticides sprayed into a crop of food could result in illness or death, if improperly programmed.

The question you must ask yourself is, how would you respond if you found yourself in a similar situation?

Not All Flaws Are Fatal

All software has problems, and fortunately, not all of those problems result in death. However, to a lesser extent, even small software flaws can result in losses to a company in time, money, and reputation. Part of your job as a software security lifecycle professional is to protect against negative events. How assertive should you be when a flaw is uncovered? Or more specifically, at which point do you cross the line from security evangelist, to security zealot?

It’s More Than Just Ethics

A key requirement towards becoming a Certified Software Security Lifecycle Professional (CSSLP) is the obligation to adhere to a code of ethics. In a corporate environment, you may find that your ethical code is not as important to others who have a business to run. While this may sound negative, it really is not; it just shows how your perspective may differ from others. How can you sell your version of “the right thing to do” to someone who does not see it exactly the same way? Is there a way to uncover whether you are not seeing something clearly?

The Best Selling Technique

Many times, security people are perceived as alarmists, lacking empirical foundation. This is the territory of zealots. In business, the best technique to get a point across is to use the numbers. After all, business is about turning a profit. By taking the time to analyze the costs of a security flaw, you can present a reasoned case based on the numbers, rather than using nebulous “what-if” scenarios. If you are truly honest with your calculations, you may even find that your approach was flawed, allowing you to find a better compromise towards a solution.

Preservation Of Life Is Paramount

Regardless of any risk plan that you may devise to protect your organization, preservation of life puts an end to any analysis. Human life must always be protected, regardless of the cost. Fortunately, most businesses have heeded the punitive lessons of those who chose to ignore safety in favor of profits. Two recent examples are the faulty vehicle airbag recall program, and the MAX 737 airplane problems, where safety was placed ahead of costs. Although we have come a long way towards security, that is no excuse to be less vigilant in our pursuit of the best security possible.

Taming the Zealot

There is nothing wrong with being an ardent supporter of security. However, impassioned pleas are not the same as effective discourse. One of the best ways to keep your passions under control is through education. The more you know about your craft, the better equipped you are to discuss it at all levels of an organization. With strong foundational knowledge, and continued education, you can speak effectively to a highly technical audience, as well as to those who are more focused on the non-technical aspects of the business.

How The CSSLP Can Help You Succeed

If you are a security professional looking to increase your knowledge of all aspects of software security principles and practices, the CSSLP credential offered by (ISC)² is the perfect means to gain the required understanding and skills for this important facet of information security. The training offered through the study towards attaining the CSSLP credential will provide you with the knowledge to effectively articulate the best reasons to follow sound security practices. The CSSLP credential gives you the skills you need to not only function at the highest levels of software security, but also equips you with the tools to effectively communicate the importance of good software security. Moreover, the specialized knowledge gained through achieving the certification makes you a valuable asset to any organization.

To discover more about how you can benefit from CSSLP, download our eBook The Art & Science of Secure Software Development.