Software Security: Just What is the Meaning of Mature?

Tuesday, March 22, 2011

Rafal Los


It's absolutely true, the word "mature" gets thrown around a lot when speaking of products, services and programs - but what does it actually mean? 

In trying to comprehend the meaning of the word as it applies to Software Security Assurance programs I felt like I needed to consult the dictionary - which sadly in this case just wasn't very helpful, hence a need to dig deeper.

The dictionary defines maturity as a state of full development, or perfect condition.  Now, I can throw the second one right out when we're talking about security - because if we're talking about security and trying to define it as a 'perfect condition' then we're in the wrong ballpark. 

We all know there is no such thing as a perfect condition when we refer to anything real in Information Security ...or any kind of security for that matter.  There is no perfect, not in implementation in the real world, there is only good enough.

Let's move on to the first definition... a state of full development.  What does full development mean? 

Maybe we can define this mythical state as a point in time where the SSA program we're putting into place has reached an apex... but that's a little fuzzy and leaves too much room for guess-work, so let's keep trying. 

I've sat here and thought about what a state of full development might mean to me if I was responsible for the security posture of the software powering my organization... and I'm repeatedly pulled back to the same answer I've given for years: "it depends". 

What it depends on, of course, is relatively concrete and shouldn't change much from organization to organization (unless the organization itself is far out-of-line with the norm). 

So let's approach the problem of defining maturity in a roundabout way then... let's define first what organizations look for and measure their security by, and then let's see if we can figure out how to measure or quantify what is full development by that series of criteria.

So then, what do organizations mostly care about? The first and most obvious answer is easy - money. 

More specifically and to the point, spending as little of it, to make as much of it as possible.  So what we're trying to figure out here is a maximal state of return where an organization pays as little as possible into the security 'fund' but gets maximum benefit out of it.  While I can't tell you what that point is (as far as a dollar figure) I can tell you that spend should be as little as possible.

The next big item is organizational impact.  Surprise, surprise, we're looking for minimal organizational impact and a maximum return on minimizing risk... This easily translates into "make me jump through as few hoops as possible to make me more secure" if you want to simplify it down.

Last but not least on the list of things organizations care about -and trust me, they care about this one -is latent risk.  Obviously no organization says they want to be a target, or that they don't care for how much of their organizationally-critical assets they expose to attack or subversion... just that some do it by citing compliance, or other types of similar veins of risk.  Whether the risk is financial or legal... organizations care about minimizing risk.

Well, so now we can say that organizations want to spend as little as possible, have as little (negative) organizational impact as possible and have as little latent risk as possible -so can we call a state where all 3 of these factors are at their low points a state of full development of the program in question?  I would say yes, right?

So then... can we say that a state of SSA program maturity is one where an organization spends as little as possible, impacts the organization as little as possible and ends up with as little latent risk as possible?  I could make a compelling argument that this is the case.

So then when I say an organization is mature, more importantly, an organization's SSA Program is mature I mean that they've minimized their spending (thus maximizing their efficiency), they're impacting their business in a minimal way, and have decreased latent IT-based risk to their business applications to an acceptable level.

For the record I would never say this is either easy or doable without a monumental effort on behalf of the entire business and IT organization ...or that it can be done over a 3 month project and some magic beans.

Thoughts on that?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Risk Management Information Technology Security SSA Software Security Assurance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.