High ROI Security Activities




You can create effective security activities based on the high ROI engineering activities:



  • Security design guidelines

  • Security architecture and design review

  • Security code review

  • Security testing

  • Security deployment review


Rather than interspersing security in your existing activities, factor security into its own set of activities.  Factoring security into its own workstream of quality control, keeps the activities lean and focused.  Because you’re leveraging high ROI activities, you’re increasing the likelihood of influencing the shape of the software at strategic points.  You create an engineering system that helps you address security throughout your software development vs. up front or after the fact.   Using multiple activities vs. a single big bang effort up front or at the end creates an approach that scales up or down with project complexity and size.
 


The trick is to not over-invest at any one stage – stay leveraged.   Rule out losing strategies early in the analysis but still cast a wide net.  Progressively more costly analysis happens later and is much more likely to be on the correct path.   Don’t spend a lot on costly late activities until you’ve passed muster on much less costly activities.  Start with low cost, high roi activities, learn along the way, iteratively add more time and expense as you better understand what you are doing.
 


Simply factoring security into its own activities doesn’t produce effective security results.  However, factoring security into focused activities does create a way to optimize your security efforts, as well as create a lean framework for improving your engineering as you learn and respond.

Comments (5)

  1. alaw says:

    Great stuff – keep it comming!!!

  2. SecurityGuidanceTeam says:

    patterns & practices has released the Security Engineering Explained guidance which JD describes as High ROI Security Activities. Follow the URL for the announcement of this new guidance.

  3. alik levin's says:

    Lifecycle and prioritization seem like a key to successful implementation of Security Engineering. Why

  4. alik levin's says:

    I am not marketing guy, nor strategic one – I really do not know why I started to read this post – Why

  5. Threat Modeling is a way to identify potential security issues to help you shape your application’s security