About a decade ago, many large software makers learned some very difficult lessons about software security and building security into their products from the start. Some are still learning. The FTC and a variety of security experts are hoping that today’s crop of start-ups will not have to go through that same painful process.
The FTC is launching a new initiative aimed at start-ups, called Start With Security, that’s designed to help smaller companies build security into not just their products, but also into their cultures. One of the thrusts of that effort is encouraging companies to begin thinking about the security of their products from the very beginning of the design and development process. This is something that vendors such as Microsoft, Adobe, and many others have been doing for some time.
But that’s not always because someone inside the company just thought it was a keen idea. In most cases, the changes the software makers made were in response to repeated public attacks on their products and pressure from customers for change. Microsoft is the perfect example. Following a series of major worms that exploited bugs in their products, the company did an about-face on security.
Window Snyder, who was in the security group at Microsoft at the time, said during a panel at an event sponsored by the FTC in San Francisco Wednesday that the change was an incredibly difficult one for the company.
“The real motivator for change at Microsoft was a tremendous amount of pain. You guys don’t have to go that route,” said Snyder, who is now the CSO at Fastly.
“The cost to Microsoft to make those kinds of changes was tremendous. It was a huge challenge for them to try and turn the ship at that point. That was a huge cost and you don’t want to do it at the end, you want to do it at the beginning. That’s the time to think about security.”
Not only is the process simpler when you start thinking about security early, it’s far less expensive, the panelists said.
“Security is much, much, much cheaper the earlier you do it,” said Devdatta Akhawe, a security engineer at Dropbox. “Either you can plan for security early on and be happy later, or keep fighting and have an expensive battle later on.”
This is a message that software security experts and many others have been trying to convey to developers and design teams for a long time, with varying levels of success. Many large enterprises, not just commercial software vendors, have adopted secure coding and threat modeling practices and become involved in projects such as BSIMM, a software security maturity model.
But getting the security message across to non-security people can be a difficult process. Frank Kim, CISO of The SANS Institute, said making the risks and rewards real for people is an important aspect of the effort.
“You have to focus on telling stories. You can’t just go and say, There’s a vulnerability in this line of code and you’re a terrible person,” Kim said. “We make it tangible and concrete by telling stories about what can happen to your application as a result of that vulnerability.”
The seriousness of the security problem is not lost on officials at the top of the FTC, which is responsible for investigating and punishing companies that fail to live up to security and privacy standards.
“In a world where everything is connected, insecure products and services can have severe consequences. It’s never been more clear that we must secure the software supporting our digital lives,” FTC Chairwoman Edith Ramirez said in her opening remarks at the event.