Analysing Aberdeen Group Application Security Study

I had a comment on my post early security engagement in projects - critical or a waste providing a link to a study. It asked for my thoughts on a December 2010 Aberdeen Group study titled "Security and the Software Development Lifecycle: Secure at the Source". The study has a headline: "Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment". The key conclusion is that companies practising security at the source saw "a very strong 4.0-times return on their annual investment". I was asked. so here are my thoughts:

Early security engagement - critical or waste?

An axiom of information security is that early engagement in projects and the Software Development Lifecycle (SDL) will produce more secure systems. As I quite enjoy challenging axioms, here goes.

Payments revolution in next two years?

There are some really interesting developments occurring in the world of online and off-line payments. In less than two years time the way we pay for things and even whether we even need to carry a wallet full of cash and plastic could be in question. This could also have some interesting security implications.

Obama Cyber ID = bad idea

Flick: laverrue
Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said it's "the absolute perfect spot in the U.S. government" to centralize efforts toward creating an "identity ecosystem" for the Internet.

This is such a bad idea and will never work, and these are some of the reasons:


Written by