There is a great white paper at sans.org Elizabeth Stanton wrote it to highlight “Security through Quality Assurance Practices”
I found it by doing a google search “quality computer security”.
In my quest for trying to explain to non-security people why they need to pay more attention to computer security without blasting headlines of “There have been 3Bil$ of computer crime committed last year and you are next” there are plenty of those kinds of articles such as VOAnews‘ article on the ‘security experts struggle to keep pace’
relevant snippet from VOAnews article
{With regard to starting a hacker business“For $200, you can set up a business,” said Al Berman, President of New York’s Disaster Recovery Institute International (DRI).
But Carnegie Mellon University’s Nicolas Christin, Assistant Research Professor of Electrical and Computer Engineering, said more reliable figures place the annual global costs of online crime at around $3-4 billion. “It may be a bit conservative,” he said in an email, “but I believe in the right order of magnitude.” }
On today’s Bloomberg: Andreesen http://www.bloomberg.com/news/videos/2015-08-31/andreessen-pentagon-wants-to-work-with-silicon-startups says on cybersecurity:
This is Asymetric Defense has to be more sophisticated. “Defense has a bigger challenge – defense has to be right 100% of the time, but offense only has to be right once.”
Biggest risk: we are not used to defending against nation states – threat profile has changed dramatically. Marc invests in Silicon Valley startups.
I know and most people know that Cybersecurity must be worked on. In trying to help we must get more people on board to spend more resources from the top down to everyone in the organization.
Without having to explain more cyber details to people the dire situation we are in must be communicated quickly and efficiently to all. As we are all a portion of the defense – remember:
People Process and Technology is the solution and people is a big part of it, as all employees have to be on board that this is an important thing to learn and get on top of.
Back to Elizabeth’s white paper
and
Security is defined by the American Heritage Dictionary in their on-line database as:
Also “there is a high correlation between business success and disciplined quality management fundamentals.
There is an argument by Ms Evelyn Labbate(also a SANS instructor) in addressing an aspect of improving product quality , the argument is that ” increasing the quality of software will in turn reduce the risk of vulnerabilities into a system.
Security awareness is also an important aspect and taking a QA approach for a business is an improvement for all
Everyone must understand the security implications of running a new application, as one cannot have a 100% security and 100% functionality setup.
Quality should be the focus as less mistakes should mean less security issues as long as that is the focus as well.
So as I have discussed before with a six sigma push:
http://oversitesentry.com/assume-you-are-hacked-so-get-6-sigma-security/
The idea is that a Quality control focus on software development and configurations and administration of computer networks will improve computer security. Since we have to have a 100% defense and the offense only has to be right once our work is cut out for us.
You might say 100%? We can’t do that… what about mistakes? That is why six sigma was invented it is as close to 100% as humans can be. 99.9999% six 9’s.
The idea is to focus on Quality control, reduce errors consistently and always improve. eventually you can get to 6Σ.
edited on 9/1/2015 for grammar and some content added