April 18, 2006

On (information security) audit: giving money to the developers

Auditing information systems is fiendishly difficult. Think about it - a typical situation for a developer is discovering problems in the _small_ pieces of code that she's working on _right_now_. Few days later other problems may be discovered. Half a year from that - yet other.

Then, as the system is assembled, parts developed by different people come together, a whole new world of problems emerge. The people who built it have scattered knowledge of the system themselves.

Now, to audit. Suits come in, unpack their laptops, run standard tests, look (!) at everything and ask tough questions. A week after they conclude whether the system the very authors have no complete knowledge of is good or not. And then they leave.

Hence my point - a good team should be doing internal audits as it goes. A good developer should be running custom-tailored tests, looking at the thing, asking tough questions no worse than the auditors. And the knowledge remains with the company.

Therefore, why not investing the same money into team education, so that they become their own auditors ? It's the old "give fish" vs. "teach to fish" thing.

I realize there are PR and sometimes legal aspects to audit, but to a developer PR along with legalities don't make much sense.

1 comment:

Priya said...

Thanks for the valuable information. Are you looking for a one-stop solution to your Information/Cybersecurity needs? IARM, one of the few companies to focus exclusively on End-End Information/Cybersecurity solutions and services providers to organizations across all verticals. Cybersecurity Audit Services
ISO 27001 Implementation and Consulting Company in Chennai
ISO27001 Compliance Audit Service in Bangalore
VAPT service provider in India
Penetration Testing Company In India