“Design is the most neglected aspect of software security.” — Jim Routh
In this 50 in 50 Interview with Jim Routh, we have an extended discussion on the line between design and remediation, the ideas behind Gene Kim‘s “The Phoenix Project“, through his work using kanban systems for cross-functional sharing. Jim has one of the best analogies I’ve ever heard on how to envision a tool for automated vulnerability discovery during the software development process.
“When a finger tip goes on a keyboard to write code, that’s the time to introduce security into the development process.” — Jim Routh
Part 02 in an upcoming segment explains how components started as a simple idea and are now a central part of the open source development process.
Listen to the Interview: Jim Routh – Software Design and Remediation
“The more you frontend controls in the development process, the less expensive it is to introduce the change.” — Jim Routh
Hightlights of the Discussion
00:05 Introducing software security concepts into the development life cycle
02:51 The line between design and remediation
08:18 A automated development tool with contextual help
10:54 Pushback to new security methodologies
13:30 The concept of security “moving left” in the application life cycle
17:02 The Phoenix Project, Kanban boards and cross-funtional sharing of information
About Jim Routh
Jim Routh is the Chief Information Security Officer and leads the Global Information Security function for Aetna. He is the Chairman of the FS-ISAC Products & Services Committee and former board member. He is currently a board member of the National Health-ISAC. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 20 years of experience in information technology and information security as a practitioner, management consultant and leader of technology, analytic and information security functions for global financial service firms.
Jim is the winner of the 2009 BITS Leadership Award for outstanding leadership of the Supply Chain Working Group sponsored by the financial industry in collaboration with NIST and the Department of Treasury. He was the 2007 Information Security Executive of the Year for the Northeast and is a widely recognized expert in security program implementation. Jim was successful in reducing information security costs while significantly improving enterprise risk management practices through innovation and transformational leadership.