I just finished reading Verizon’s insightful 2012 Data Breach Investigations Report. As usual, well-known vulnerabilities such as guessable / brute force credentials and SQL injection continue to be the root cause for the vast majority of hacking-related breaches. The report reminded me of a really insightful presentation from Source Seattle last year by Myles Conley. He claims that we’re not necessarily lacking “app sec” experts, but rather we’re lacking project management in information security. The premise is clear: the information security community has the know-how and capability to prevent many of the simple attacks that result in breaches. Consistent, disciplined execution of these preventative measures is where we struggle.
Atul Gawande noted a similar challenge with deaths arising from surgical defects in The Checklist Manifesto. Creating a checklist of simple measures, like forcing each member of the surgical team to introduce themselves at the start of the procedure, resulted in a 47% reduction in deaths arising from surgical complications. Dr. Gawande and his team gleaned their insight about the power of checklists from the safety track records of other industries such as aviation.
Information security can also learn from the track record of other industries. Checklists for preventative measures in the development process can help us establish simple, lightweight governance similar to pilot pre-flight checklists. The challenge we face, however, is that unlike flights and surgical procedures, preventative information security controls & procedures tend to vary wildly by factors such as industry, technology stack, compliance requirements, etc. One simple checklist just isn’t sufficient for every piece of software. Moreover, many practitioners are turned off by a “checklist approach to auditing” because of poor experiences with auditors who use inefficient, static checklists to review a large variety of security controls. This challenge led us to using dynamic, profile-based checklists in the design of SD Elements. We truly believe that applying consistent, lightweight checks for preventative security controls will help us significantly reduce the number of incidents arising from well-known, preventable defects. Indeed, some of the most mature application security organizations we speak to already have built this capability in-house.
Checklists aren’t silver bullets. Applying the whole range of information security best practices, including vulnerability assessments, is still critical to securing information systems. That said, consistency in applying well-known controls will raise the bar for attackers. After all, as the DBIR reports, “97% of breaches were avoidable through simple or intermediate controls”.