Too many firms treat software security as a “tower defense” game. When they lose to the attackers, they try to figure out how those attackers “got in.” (To do this, they often hire a firm like Mandiant.) And then they try to build their IT “walls” better. It is tempting to let the bad guy throw rocks at that tower all day long. Then, when the attacker “wins,” we simply redirect some resources to building the walls a bit higher and better. And then we go back to letting attackers throw rocks again.
If we take the Wikipedia article on tower defense games and look at the description, it becomes eerily prescient with respect to some firms’ security posture. A few choice word replacements make this suddenly sound exactly like what’s happening.
Software security is not a tower defense game. Firms cannot sit back, let the attacker attack, and then deploy clean-up and forensic resources after the fact. Nor can they just tick the compliance boxes. Attackers don’t care about PCI DSS, HIPAA, or any other compliance standard. In fact, organizations only doing compliance activities, and nothing else, give attackers insight into what the existing security controls are and where to target their attacks. Building software securely from the beginning ensures security across the life cycle of the software. And that’s the best way to minimize the amount of tower defense a firm has to play.