Wednesday, November 08, 2006
Enterprise Architecture and Software Security
A good enterprise architecture team will not wait around for industry analysts to provide coverage of problem spaces that are crucial and one of them is the topic of software security. Industry analysts will publish tons of stuff on patch management, the latest Microsoft exploit and other hype of the minute yet will not lift a finger to provide deep coverage on the root cause of these issues which can be boiled down to the lack of software security training at many software vendors.
I wonder if large enterprises have ever asked of their vendors, do you have documented software security patches or do you allow your idiot CIOs to simply rant at the vendor about the amount of patches? Obviously having documented software security practices along with ensuring that the vendors quality assurance practices actually converge benefits all enterprises in the buy vs build mindset.
It is utterly stupid that most EA teams aren't cognizant of the risks that they expose to their own enterprise buy not thinking about how to procure secure software. A vulnerability can be used to not just send spam or other nonsense but zero-day exploits may be a way to steal personally identifiable information. This of course will result in your enterprise spending millions on notifying all users of your system while your CEOs mugshot will be featured on the Evening news. Maybe this is the opportune time to tell him that you were too freakin lazy to do your own homework and have outsourced all thinking to large analyst firms and oh by the way Mr CEO, don't drop the soap.
There is no one in the blogosphere in corporate America that knows more about security than me! Yet, I am smart enough to know what I don't know and will find folks who can fill in gaps in my own knowledge. This week, myself and several of my peers are learning stuff from Kenneth van Wyk and I have learned a lot that I hope can not only make my own enterprise better but also many of the open source projects I contribute to.
Of course many enterprisey folks struggle with the four-letter word known as budget. If as an EA team, you can't solve for this minor impediment for something so important, at least go to Amazon and type the name of Gary McGraw and purchase a couple of copies of his for your peers. Your enterprise will be more secure if you are simply willing to do a little bit of homework. I wonder if Robert McIlree and James Robertson think security is worth talking about and more importantly what steps they have taken to make things more secure...
Links to this post: