Search This Blog

Monday, February 7, 2011

review of Forcing Firms to Focus: Is secure software in your future?

In the chapter Forcing Firms to Focus, Jim Routh the author gives an actual scenario of a company that he was the CISO of, how he progressed beginning with the stakeholders all the way through gaining the trust and respect of the developers. He uses a generic name, but of course I had to find out who the company was that he worked for and was discussing. The company that he was working for was American Express.(Anonymous, 2011a) As a major financial institution with a large working budget, it was obvious that he had little convincing to do on the part of the stakeholders and the board of directors.

He discusses previous security measures and modern methodologies of security as well as potential threats. He mentions the Melissa virus (Ellis-Christensen, 2011) as a modern virus that virtually shut down Microsoft servers by attaching itself to either WORD or Outlook and picking the first 40 names in the address book and re-sending the virus. Fortunately, Microsoft realized this right away and created a patch for it, which now exists in all aspects of MS Office in versions beginning with Office 2000. He explains that it is usually web applications that are how intruders gain access to the servers and can obtain multiple amounts of data including identity theft from the end user. (Oram & Viega, 2009)

The author lists a statistic form a survey that was conducted by McAfee where approximately two thirds of mothers that were end users, ranked their teenager’s online safety as important as or more important than drunk driving or drug use. I personally could not find this survey, but for the matter of record, I find this a bit far-fetched and wonder how the survey was conducted.

The author tells us that we can find the 10 top favorite hacking techniques by going to the website of The Open Web Application Security Project (OWASP), which lists the number one hacking technique (at time of publishing Beautiful Security)as cross-site scripting (Oram & Viega, 2009), but as of today it is listed as number two with number one being injection. The technical aspects of injection are “Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.” (Anonymous, 2011b) On this website, the reader can find Threat Agents, Attack Vectors, Security Weakness, Technical Impacts and Business Impacts for most known security threats.

As it usually occurs, Routh described that at American Express [1] developers were not as much concerned with the security vulnerabilities as they could be dealt with in future enhancements. He then goes on to describe how he convinced American Express that the development of the code must include the thought of security threats while being developed.

The author was aware of new regulations that were coming through, and in 2008 the first guidelines were issued by the Office of the Comptrollers of the Currency (OCC) (Corporate, 2011) He stated that the cost for compliance was significant, but at this point American Express had no choice in the matter. They put in place a software development process that they used both internally as well as a mandatory guidance for their vendors. To be assured that they were in compliance, they used a third party vendor to check their code as well as the code of the vendor. This vendor, Verify is a worldwide known organization that is used for multiple security purposes and has clients such as many U.S. governmental departments. (Anonymous, 2011c)

The author concludes that his effort has saved his organization 11% in productivity by eliminating security vulnerabilities early on in the lifecycle of the development of their software instead of spending those dollars to fix problems after they occur. (Oram & Viega, 2009)


Anonymous. (2011a). InformIT Network. 2011, from

Anonymous. (2011b). OWASP top ten project. 2011, from

Anonymous. (2011c). Verify homepage. 2011, from

Corporate. (2011). Office of the comptroller of currency. 2011, from

Ellis-Christensen, T. (2011). What is the Melissa Virus?, from

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.

[1] assuming that my research is correct and American Express is the actual name for his fictious name of Acme