Josh Corman and I had some long conversations in the past few weeks. Frequently in those conversation, Josh brought up his idea of the “Software Survival Guide Pyramid“. He even drew one in my notebook as we were talking yesterday:
The bottom of the pyramid is the most powerful, Defensible Infrastructure, up to the top most layer, Countermeasures, after moving through the states of Operational Excellence and Situational Awareness. The interesting part of this theory is that Countermeasures are the least effective way to establish and maintain security in your networks and applications. The analogy Josh uses is that if you think of the diagram in terms of the “Food Pyramid”, the top of the pyramid is empty calories, the least efficient way to maintain security.
“Countermeasures are zero calorie solutions.” — Josh Corman
The dilemma is that most people are spending money on “zero calorie” solutions to manage software security. How could that be? Why would a company spend time, resources and money on the least effective way to solve the problem?