You take calculated risks every day. Just this morning, say, you might have decided to cross an empty street against the light because you were late for work. But if you had been with your child, you would have made a different decision.
We rely on our experiences, and those of people we trust, to set the bar for the risks we take on. Some risks are acceptable and some aren’t. Software security is no different. As a security practitioner, you’re in charge of assessing security risks that have an impact on your customers’ trust and your business’s reputation. So you can’t make arbitrary decisions.
A key finding from the annual BSIMM study is that many firms focus on high-risk applications, thinking this is enough to mitigate their risk of attack. But medium- and low-risk apps are also part of the attack surface. How do you decide which applications to secure and how to secure them?
You could do nothing and just hope your software and systems are secure. You could waste resources performing haphazard security testing on random applications. Or you could create a software security initiative (SSI), a program that helps you balance available resources against unacceptable risks.