Josh Corman and I had some long conversations in the past few weeks. Frequently in those conversation, Josh brought up his idea of the “Software Survival Guide Pyramid“. He even drew one in my notebook as we were talking yesterday:
The bottom of the pyramid is the most powerful, Defensible Infrastructure, up to the top most layer, Countermeasures, after moving through the states of Operational Excellence and Situational Awareness. The interesting part of this theory is that Countermeasures are the least effective way to establish and maintain security in your networks and applications. The analogy Josh uses is that if you think of the diagram in terms of the “Food Pyramid”, the top of the pyramid is empty calories, the least efficient way to maintain security.
“Countermeasures are zero calorie solutions.” — Josh Corman
The dilemma is that most people are spending money on “zero calorie” solutions to manage software security. How could that be? Why would a company spend time, resources and money on the least effective way to solve the problem?
After investigating dozens of vendor solutions for three days at the Gartner Security and Risk Management Summit this week, I’ve come to the conclusion that the problem is so large, it’s almost impossible for an ordinary schmo like me to grasp. There are solutions for all types of security issues, making it very confusing as to what the real problem is. To me, it looks like vendors are providing fat-thumb solutions to “plug the holes in the dyke” while the real problem is to build a better dam.
As it stands, the applications themselves have vulnerabilities that are being exploited, but we’ve been taught to build a moat of firewalls, identity management solutions and network security around those applications to make them more secure, when what is needed as a base is a better way to make secure software.
That’s where Josh’s diagram comes in. Here’s the real version:
You want to start with a Defensible Infrastructure, a solid foundation, which includes a software development process that at least has a fighting chance to create safe applications.
There’s a lot more to be said on the subject of secure application development, but to keep the conversation going, here’s a short 7 minute talk Josh gave to introduce the idea of Defensible Infrastructure.
In the coming weeks, I’ll be talking more with Josh and his cohort Gene Kim, author of “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win“. We’ll explore what it takes to build a truly secure system (if there is such a thing) and see if we can discover a new way to build safer software without having to pay for all those twinkies at the top of the pyramid, because you know even Hostess is going to go out of business sooner or later.