Focus on Quality Improves Computer Security

There is a great white paper at sans.org      Elizabeth Stanton wrote it to highlight “Security through Quality Assurance Practices”

 

I found it by doing a google search “quality computer security”.

In my quest for trying to explain to non-security people why they need to pay more attention to computer security without blasting headlines of “There have been 3Bil$ of  computer crime committed last year and you are next”  there are plenty of those kinds of articles such as VOAnews‘ article on the ‘security experts struggle to keep pace’

relevant snippet from VOAnews article

{With regard to starting a hacker business“For $200, you can set up a business,” said Al Berman, President of New York’s Disaster Recovery Institute International (DRI).

But Carnegie Mellon University’s Nicolas Christin, Assistant Research Professor of Electrical and Computer Engineering, said more reliable figures place the annual global costs of online crime at around $3-4 billion. “It may be a bit conservative,” he said in an email, “but I believe in the right order of magnitude.” }

 

marcandreesenonbloomberg

On today’s Bloomberg: Andreesen http://www.bloomberg.com/news/videos/2015-08-31/andreessen-pentagon-wants-to-work-with-silicon-startups says on cybersecurity:

This is Asymetric Defense has to be more sophisticated. “Defense has a bigger challenge – defense has to be right 100% of the time, but offense only has to be right once.”

Biggest risk: we are not used to defending against nation states – threat profile has changed dramatically.  Marc invests in Silicon Valley startups.

 

I know and most people know that Cybersecurity must be worked on. In trying to help we must get more people on board to spend more resources from the top down to everyone in the organization.

 

Without having to explain more cyber details to people the dire situation we are in must be communicated quickly and efficiently to all. As we are all a portion of the defense – remember:

People Process and Technology is the solution and people is a big part of it, as all employees have to be on board that this is an important thing to learn and get on top of.

 

 

Back to Elizabeth’s white paper

The American Society for Quality has made the following statements about quality:
• Quality is not a program; it is an approach to business.
• Quality is a collection of powerful tools and concepts that is proven to work.
• Quality tools and techniques are applicable in every aspect of the business.
• Quality increases customer satisfaction, reduces cycle time and costs, and eliminates errors and rework.
• Results (performance and financial) are the natural consequence of effective quality management.

and

Security is defined by the American Heritage Dictionary in their on-line database as:

1) Freedom from risk or danger; safety; 2) Freedom from doubt, anxiety, or fear; confidence; 3) Some thing that gives or assures
safety, as: a) A group or department of private guards; b) Measures adopted by a government to prevent espionage,
sabotage, or attack; c) Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or cybercrime(my add)

Also “there is a high correlation between business success and disciplined quality management fundamentals.

There is an argument by Ms Evelyn Labbate(also a SANS instructor) in addressing an aspect of improving product quality , the argument is that ” increasing the quality of software will in turn reduce the risk of vulnerabilities into a system.

 

Security awareness is also an important aspect and taking a QA approach for a business is an improvement for all

Everyone must understand the security implications of running a new application, as one cannot have a 100% security and 100% functionality setup.

Quality should be the focus  as less mistakes should mean less security issues as long as that is the focus as well.

 

So as I have discussed before with a six sigma push:

 

http://oversitesentry.com/assume-you-are-hacked-so-get-6-sigma-security/

The idea is that a Quality control focus on software development and configurations and administration of computer networks will improve computer security. Since we have to have a 100% defense and the offense only has to be right once our work is cut out for us.

You might say 100%? We can’t do that… what about mistakes? That is why six sigma was invented it is as close to 100% as humans can be. 99.9999%  six 9’s.

The idea is to focus on Quality control, reduce errors consistently and always improve. eventually you can get to 6Σ.

 

edited on 9/1/2015 for grammar and some content added

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.