Stop Treating Security like Leather Seats

Kent Welch

December 14, 2021

When was the last time you had to buy a new car? Some enjoy the haggling while others hate it, but if you want to maximize your ability to negotiate on price you’ll need to review the car’s models and options. For any given car, automakers generally present you with several baseline models, progressively adding more desirable options at an ever-increasing cost. Want the leather seats? You’ll have to upgrade to the model with the larger rims, infotainment center, backup camera and sun-roof as well, even if those options aren’t important to you. The idea is to keep bundling the most requested features into packages and models that require you to pay more for them. Automakers have been doing this for decades trying to maximize their profits.

The bundle model is a well proven sales tactic and many other industries have followed suit – including most software companies. The issue is many software companies include security as part of the bundle. Want the ability to assign roles to users? How about delegating administration rights? Need to integrate with your cloud-based identity provider? All that and a whole lot more are offered, but only in the ‘Enterprise’ edition. So you have to pay for features you may not want just to get the security “features” you need.

 

If only those with the deepest pockets can secure their software then we will continue to see data breaches, ransomware attacks and identity theft. Until the software industry stops treating required security functionality like optional leather seats, we will never see the true “shift left” in securing our digital services and infrastructure.

The problem is that security isn’t an option – it’s a requirement. Even in the smallest of companies, things like least privileged access, the ability to leverage a single identity store, and audit logs of user access are basic requirements no matter how large or small your organization may be. Any functionality required to securely implement, use, monitor and manage a software service or application shouldn’t be offered only as a bundled feature to help drive users to the highest license level offered. Security functionality should be available as add-on costs to any license offered. Implementing and supporting such functionality costs real money and users should pay a reasonable fee for them, but security functionality shouldn’t be used to push users to the highest licensing cost.

    Orchestration solves the question of how to ensure each piece of software involved in the development and delivery of a software pipeline adheres to the security requirements of the organization. However, a team can only do that if the options to properly do so are available in the security tools used by the organization. Too many software vendors are holding security hostage to push their users to higher licensing costs, making them pay for unnecessary and unneeded features to get the security baseline required

    If only those with the deepest pockets can secure their software then we will continue to see data breaches, ransomware attacks and identity theft. Until the software industry stops treating required security functionality like optional leather seats, we will never see the true “shift left” in securing our digital services and infrastructure.

    Related Articles

    Why Log4j is a Lesson in Prioritization

    Why Log4j is a Lesson in Prioritization

    The recent Log4j vulnerability, which Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career,” forced many Security and Development teams to work through the holidays...

    Why Log4j is a Lesson in Prioritization

    Why Log4j is a Lesson in Prioritization

    The recent Log4j vulnerability, which Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career,” forced many Security and Development teams to work through the holidays...

    Why Log4j is a Lesson in Prioritization

    Why Log4j is a Lesson in Prioritization

    The recent Log4j vulnerability, which Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career,” forced many Security and Development teams to work through the holidays...

    0 Comments

    0 Comments

    WordPress Video Lightbox Plugin