Putting Application Security into Context

For some time now, I have wondered why InfoSec practitioners are paying so little attention to context with respect to application security and why InfoSec professionals and software safety engineers do not collaborate as much as they should.

Then I read a column on the Op Ed page of The New York Times of December 4, 2014 by T.M. Luhrmann, a professor of anthropology at Stanford University, with the title “Wheat People vs. Rice People.” Professor Luhrmann contends that there is a significant difference between how rice cultivators of Asia and wheat growers of the West view context. To quote the article:

“… Thomas Talhelm [led a study] that ascribed … different orientations to the social worlds created by wheat farming and rice farming. Rice is a finicky crop … [that requires] complex irrigation systems …. One farmer’s water use affects his neighbor’s yield. A community of rice farmers needs to work together in tightly integrated ways … Wheat needs only rainfall, not irrigation. To plant and harvest [wheat] … takes half as much work as rice does, and substantially less coordination and cooperation … historically, Europeans have been wheat farmers and Asians have grown rice.” [emphasis added]

A number of years ago—actually at the 2010 RSA Conference—I gave a presentation on application security metrics in which I pointed out that it is important to consider the context (operating system, platform, hardware, industry, etc.) and that security metrics need to be tailored to each context. More recently, my book “Engineering Safe and Secure Software Systems” emphasizes the need for collaboration and cooperation between software engineers trained in security and safety … two very different fields of expertise. This latter assertion is specifically supported in the November/December 2014 issue of IEEE Security & Privacy magazine, which is devoted to the security of energy control systems.

Business tycoon and philanthropist, Leslie Wexner, was quoted (in Forbes magazine’s online quote of the day for December 4, 2014) as follows: “Society can’t wait. It’s sad there are so many entrepreneurs, business successes and venture capitalists who give no thought to society.”

If we put all this together, then we must come to the unfortunate conclusion that the U.S. and European cultures are against innovative systems contemplating context and system designers and developers collaborating to ensure both security and safety. Just consider the risks that such cultures will attach to the Internet of Things, autonomous vehicles and fly-by-wire airplanes. Are there droughts and famines on the horizon for wheat-oriented software engineers? Or will rice-growing cultures take over as the need to consider context escalates?

Post a Comment

Your email is never published nor shared. Required fields are marked *