Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Want better security? Stop calling it research

Michael Santarcangelo | Feb. 16, 2016
James Jardine lays out his approach to get security integrated earlier into development by enhancing existing processes over advocating for security research

specimen shelves

The way we advocate for better security impacts our success.

What happens if you suggest your organization subject itself to security research? What sort of reaction do you think you'll get? Better, how would you define and explain it? Why?

Contrast that to suggesting you enhance existing processes with stronger security measures -- tailored to the needs of the organization. It's a stronger approach. It leads to better integration of security. Imagine actually including security sooner in the process?

James Jardine (LinkedIn,@jardinesoftware) of Jardine Software penned a post last week laying out the difference (read it here). His take on the distinction between security research and testing lays out our opportunity. In fact, I see it as a way to speed up support for security research and other programs aimed at making it better for all of us.

Here are five questions with James about why the concept matters and how you can take advantage of it.

What inspired your recent article about the definitions of words and the impact on our efforts in security?

I read a tweet supporting the FDA push for medical device makers to allow security research. It caused me to step back to think about the phrase "security research." Further, what does it actually mean to allow more security research? Given known issues with security protocols, devices, and applications, is what we need more research?

Instead of research, what if the statement read "FDA pushing for medical device makers to adopt stronger security testing"?

The security industry struggles to define security research. We offer "bug bounty" programs. Both offer value and introduce confusion. Businesses who seek better security know what QA is. They have programs to test and ensure a desired level of quality. Instead of focusing on research and bounties. If we focus on language and concepts they already have, we get more traction.

When looking at security research versus testing, what is the problem we're trying to solve? What is the business need?

Security is a young field. It is still confusing to a lot of people. Defining security research is more complex. We're debating it in the industry. In my view, security research plays a valuable role in identifying new challenges and advancing solutions.

Once the bug, vulnerability, or like is defined and validated, looking for it is the role oftesting. Following established processes and methods to look for known potential defects within specific instances. For example, a medical device manufacturer could test for identified flaws for that type of device. This includes both common problems known to impact the class of device (like insecure transmissions or default passwords as well as anything specific to the device itself.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.