Summary: | While the majority of security practice — and
spending — is focused on post-development products and
enterprise approaches, some have sought to change the focus of
security from the networks we manage to the systems we build.
The burgeoning Secure Software Engineering (SSE) community has sought to identify and espouse activities, built upon
traditional software engineering, that address the introduction
of vulnerabilities as a means of stemming the growing tide
of security problems before they can be realised. It is widely
believed that not only do such approaches hold promise to limit
exposure and reduce security incidents, but they are also a valid
security investment that decreases overall security expenditure.
While many initiatives are now underway to codify such
SSE practices, a treatment of the economic considerations
has yet to be conducted. We propose an initial model that
captures SSE investment as a means of reducing defender
uncertainty regarding vulnerabilities, while raising the cost
to the attacker. This approach is instantiated as a companion
process to traditional security models, and we use the Iterated
Weakest Link (IWL) model of (post-deployment) security investment to demonstrate how defender security investment can
be optimised over the system’s lifecycle. The results indicate
both an increased return on security investment — the Return
on Secure Software Process (ROSSP) — as well as reduced
post-deployment costs. It is our hope that this model paves the
way for a more comprehensive treatment of security investment
that unifies pre- and post-security investment, leading to a more
comprehensive view of security in software systems.
|