The thing that’s hardest about software security is grasping the big picture. In the heat of the moment, it is easy to make the wrong decision. When your company’s bank account is low and everyone’s telling you, “We have to release this product NOW,” it’s going to be hard to say, “It’s too risky to release because we aren’t meeting our security policy.” When your biggest customer says, “I need you to open this port in your firewall NOW,” it’s hard, to say “No, let’s take little time and find the right way to get this done.”
In the end, it’s simple: Software is critical infrastructure. The resources required for security in the short term are justified by reduced risk and lower expenses in the long term. This is a significant shift from the get-it-done-and-ship-it-yesterday mentality that’s been the status quo, but if we’re going to build all our other infrastructure on top of software, we need to change our thinking and our processes to build software right.