Tuesday, 6 March 2012

eBooklet - Software Security Debt in Modern Software Development

So we've just released our inaugural eBooklet titled Software Security Austerity - Software security debt in modern software development.

It's a 7,500+ word look at the concepts of security debt and software security austerity. It provides both an introduction as well as real-world strategies to effectively manage security debt within the software development process.

Paper Abstract

The concept of technical debt is not a new one. Technical debt has historically referred to the trade-off between getting a solution or system to market versus a perfectively designed and a bug free product. In the process of trading perfection for an economically viable development model the software incurs a degree of debt.

The debt analogy is starting to be applied to systems and software security. Recx have previously discussed some of the trade-offs made with regard to software security and time-to-market in our article entitled: Breaking the Inevitable Niche/Vertical Technology Security Vulnerability Lifecycle.

It is important to recognise that a Secure Development Life Cycle (SDLC) does not stop the presence or accumulation of security debt. A maturing SDLC allows an organisation to identify weaknesses and thus convert a larger volume of previously unknown debt to known security debt. The security debt once known, then needs robust processes to both service and repay it over a period of time. Typically SDLCs only set the criteria for the issues that must be fixed over a certain impact level. As organisations get better and more efficient at identifying security issues they typically start to accrue a substantial number of lower rated issues in the process. While these issues may on their own have less of an impact, when several lower issues are combined they can be as impactful as higher rated issues. As a result, the accumulation of a large number of lower impact issues without any strategy on how to resolve them can be equally as risky to security.

In this white-paper, Recx first introduces the reader to the concept and risk of software security debt. A review is then performed of the types and sources of debt before discussing how it can build up when using a risk assessment based approach to prioritisation. A number of debt management strategies are then presented along with associated events, such as servicing, repayment, overhang and expiry. Finally a number of conclusions are drawn around software security debt and why it needs to be considered as part of mature secure software development and risk management processes.

Paper Availability

We're making paper available in a number of formats. We've published it for the Kindle and it's available to buy for £2.05 (GBP) from the Amazon store.

Amazon Logo

Amazon Logo

In addition, we've created an ePub version of the paper and made that available for the same price from our Google checkout.

We're also making the paper available for download direct from us as a PDF for free. The reason for selling it and giving it away? Well, we think the information is valuable and is worth the money, but we also want you to decide if you think it's worth paying less than a pint of beer or about 20% of a single ACM portal download for.

Why No iTunes / Barnes and Noble Nook Stores?

When we started down this road we wanted to have it available on all stores. However we couldn't do this, the reasons are:
  • Apple - you need an ISBN, which we didn't think was appropriate for a booklet. 
  • Nook - they currently only accept USA based publishers.
To address this gap we made the ePub available for purchase.

No comments:

Post a Comment