Why Application Security Programs Fail

Sunday, January 23, 2011

Rafal Los


Do or do not - there is no try" --Yoda.

If you've ever had the misfortune of driving late at night and injuring (or worse) one of these beautiful creatures you can't help but wonder to yourself - why didn't that deer just move when it saw me coming?!  

There was plenty of time, ample place to run away to all it had to do was decide and execute.

Then you sit down at your desk Monday morning and notice that your App Security program isn't making any headway... and it's been 6 months.  You've laid out all the things that need to be accomplished, goals, tools and processes - but nothing's getting done.  

Just like the situation with the deer - there are avenues for success and all someone has to do is make a decision and execute.

Strangely, the answer to both "Why?" questions is roughly the same.  The answer lies in the inability to make a decision based on being presented with too many options.  For the unfortunate animal the problem comes from having a brain too small to process the information and options quickly enough to make an escape decision.  

For the enterprise the problem comes in when there are three factors at play:

  1. No one decision maker (executive decision maker)
  2. No clearly defined, attainable goals
  3. No concrete step-by-step plan for execution

When these 3 things are present, failure is imminent.  Sadly, point #1 is almost guaranteed in any large organization where decisions are made by committee.  

Without a single executive decision maker there will be endless debates, studies, trial periods, evaluations, re-work and feedback loops that never lead to any measurable success even years down the line.

It is only by overcoming these 3 key obstacles that a program has even a snowball's chance in Florida of success.  (anecdote: Florida is currently the only 1 of the 50 states that does have have snow on the ground.)  

The big question of course is - how can you overcome some of these issues if you have "decision by committee" going on right now in your organization?  I think that while it's difficult - it still is possible to overcome issue #1 if #2 and #3 are strong.

Having clearly-defined and attainable goals of your Software Security Assurance (SSA) program is more important than almost anything else.  While there are many subtleties to building goals in any particular organization (to be addressed in a later post) without them being clearly defined and reachable in reasonable amounts of time you cannot expect anything else but failure.

Once you have managed to define goals and their timelines the next absolutely critical thing to have is a plan for execution.  Imagine your favorite sports team announcing before the season starts that they will be winning the championship this year.  Forget that they were the worst team in the league last year - this is their year.  

If this is all you hear you're probably a Cubs fan... hah! I'm kdding! No, seriously though - empty words are just that.  If there is a lofty goal without a reasonable and concrete plan to execute on to attain that lofty goal, odds are the goal won't be met.  As a Cubs fan I'm still waiting on that World Series win.

So there are 3 reasons that programs fail.  They have very little to do with what tools you've bought, or whom you've hired or how much you've paid them.  Much of the success or failure of your SSA program will depend on corporate politics and your ability to brace against and work around them.  

Whether you're in a 10 person small shop, or a Fortune 100 - these 3 key obstacles still apply.  Keep that in mind as you charge forward.

Good luck!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security Application Security Security Strategies SSA Software Security Assurance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.