{"id":50,"date":"2011-02-08T11:25:54","date_gmt":"2011-02-08T19:25:54","guid":{"rendered":"http:\/\/blog.mozilla.org\/webappsec\/?p=50"},"modified":"2011-02-08T11:25:54","modified_gmt":"2011-02-08T19:25:54","slug":"scaling-security","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2011\/02\/08\/scaling-security\/","title":{"rendered":"Scaling Security"},"content":{"rendered":"

The AppSec<\/span> space is an extremely challenging field to work in, largely due to asymmetry; when you play defence you have to work to stay on top of each emerging threat, vulnerability, and development that falls into your scope.\u00a0 Working to protect a system or application where there is fixed number of resources to spend on protecting a set of assets, choices have to be made about how to best spend those resources to prevent the attackers from winning.\u00a0 The best way to do that is by applying risk analysis techniques and focusing on the highest risk assets.\u00a0 Once those assets are identified, a decision has to be made about how to invest time and effort in design vs. implementation, static vs. dynamic analysis, and automated vs. manual testing.\u00a0 Regardless of the goal of continuous engagement within the SDLC, decisions are made based on the risk and the pool of limited resources must be split up to work towards a solid defence.
\n<\/span><\/p>\n

The biggest challenge is that we have a rapidly growing development community; while the security team is growing to meet our needs, we need to find better ways to scale testing and analysis to get the same results with better efficiency.\u00a0 Out of the gate, I am going to deal with one important issue by casually tossing it off to the side.\u00a0 Tooling is a really important part of the discussion, but the bottom line is that tools won’t make a difference in your organization if you don’t have the right people to use them.\u00a0 Good tools might<\/em> help unskilled workers get good results, but skilled workers with suboptimal tools will still get great results.\u00a0 The adage “It’s a poor craftsman who blames his tools” sums it up neatly.<\/p>\n

In order to scale up a team with limited resources (time, people, money), there are a number of things that can be done.<\/p>\n