Friday, March 17, 2006

Security - a process based holistic approach

I have to say that I'm no different from other developers - so the first thing I thought when seeing that a presentation was scheduled about security was "YUK...". Fortunately, the presentation was done by Rafal Lukawiecki, and it definitely was worthwile - you can also see the session on Process based holistic security on MSDN Showtime - or download the presentation

We took a look at 3 different frameworks:
  • Octave and OctaveS

  • Simplified security risk analysis

  • Formal threat analysis

  • One interesting statement was definitely the one about the cost of security - "Security is very expensive, it will typically cost between 20 and 60% of development effort". To justify this kind of cost, there actually are some measurements you can use, one of them is ROSI (Return On Security Investment). There also is a way you can quantify risk which is pretty straightforward and which will work very nicely when you are working with customers in the financial or investment sector. Security implies a certain risk so as with any other risk you should look at the cost for getting an assurance to protect against the event in which the risk might occur.

    No comments: