Friday, 5 December 2008

We will fix the security later

I wonder why fixing security issues usually ends up as one of the last things to fix in any given IT-project. If the same thing was true in the real world, I would be really afraid. Would we accept a first version of a car without breaks, without safety bags etc ? I often been invited to participate in projects where all things is ready….now we just have to fix the security as well. Usually it is then to late to “fix” anything and the cost to make it secure becomes a problem for the whole project…and I end up as the bad guy. The result is often that security has go give away for “time-to-market” or for some other reason that precedes the security aspect. Do not take me wrong, security means nothing if it does not help the business but why not think about security from the beginning instead? That will be cheaper, faster and will produce less grey hair on my head.
Maybe a part of the problem is that we as customer do not expect anything to be secure anymore. We, instead, applauds when a vendor (for the 100:th time) sends out a new more secure version then the one we got 2 weeks ago. We of course know that we will have another even more secure version in 2 weeks time again…and we accept that which in a way is rather strange. I am the first to admit that it is hard to develop secure software but sometimes I feel that the Industry has given up. We accept the car without brakes.

No comments: