“Look at what is built around you”
Ok, I thought it would stop at three parts, but there is always more to learn about information security from the outside world; and in my case the world of emergency services.
This continuing
series of blog posts draw on the parallels between firefighter knowledge and security awareness.
When a first responder initially arrives at a fire scene, they perform a
situational assessment which includes the environmental factors (weather
conditions), resource availability (water supplies), and building construction
type. Today’s column focuses on the latter, knowing how things around you are
built.
With building
construction, there are five basic construction types[i]
to be aware of. As with software applications and networks, there are several
parallels between these two worlds.
- The first two types of building construction apply to most commercial buildings. They are “over-built” in the sense that they have some generic (dead-load and live-load) requirements, but the internals can be reconfigured for various types of work. The three remaining types are mostly residential, meaning they are “purpose-built” structures.
- Also, within these two main classifications are two styles of construction, “traditional” which employs older methods of post/beam construction, and “lightweight” methods which use computer-aided design (CAD) models to define the minimum effort needed to support the building requirements. Good examples of this are “truss-roof” structures for commercial buildings and “manufactured I-beams” for residential buildings.
Studies have been
done[ii]
showing that the structural integrity of a building on fire has gone from
several hours down to 20 minutes, so the window of opportunity to keep the
first responder safe and save the building is greatly decreased.
Similarly, as
more and more applications are built to narrow specifications using current
Agile development methodologies, their resiliency for handling problems or
other methods of discourse (that hackers may employ) is also reduced.
Unfortunately,
for both the firefighter and information security personnel, there are few (if
any) signs that what your protecting is resilient, or just a house of cards.
There are two
facets to this issue of “what is built around you”: development strategies (for
contracted / custom-built applications) and vendor management (for purchased /
off-the-shelf applications).
Development
Strategies: I am not, in any form, endorsing one
development methodology over another – i.e. Agile versus Waterfall – as both
have their strengths and weaknesses; but I am pointing out that SDLC methods,
like other tools, need to be used in the proper way with appropriate training.
All businesses have different resources they can draw from. In my company, I
lean towards agile development when I know the team of designers and developers
are subject matter experts (SMEs) in the goals and features of the product
being built. However, when contracting out development, I tend to use the
waterfall method to define very specific requirements to be built in an
outsourced environment.
Vendor Management: When looking at
off-the-shelf applications, do your research in the blogs, forums, customer
support and bug tracking portals. There is a plethora of information about the
application (both good and bad) that can help you make an informed decision.
For example, for large companies, a product such as SAP for order management or
logistics may be a good fit; but for my company, it is over-built. For custom
software vendors, review their internal development lifecycle and determine if
they place enough emphasis on security, configurability as well as features.
Finally, no
matter which road you choose to deploy an application to support your business,
pre-plan for the day when everything goes wrong. Security is about knowing how
to react “when” a fire occurs, not “if”.
No comments:
Post a Comment