Simple doesn’t mean easy. Software security is challenging. There is no question about it. The rapidly changing technology stacks combined with tools for attacks just raise the challenge to building software that is resilient.
That said, Software Security does not need to be complex. It can be very simple. Not at just a high level, but at a low level as well. It takes some thought and some planning.
The Goal Of Software Security Made Simple is to make Software Security not only understandable, but to change the way people think about Software Security. The way to do this will be through neurolinguistics and behavior psychology. You might be thinking – I thought this was going to be simpler and now you are going to be brining in psychology? Well, in order to make Software Security Simple, human behavior needs to be understood because at the end of the day security is driven by human behavior.
There will be an interesting dilemma that presents itself. There will be no proof that this works. There almost can’t be as of yet. The only thing that can be proven is that as of right now, the current way that software security is implemented isn’t working nearly as well as it should after over 30 years. And that time frame is just for the Internet based software development.
And this is where neurolinguistics comes into play. Tony Robbins talks about language as a key part of making change. That language makes up the beliefs we tell ourselves. And beliefs are just things we know to be true. They may or may not be true. But we know them to be. They influence the stories we tell and the actions we take. In order to make the changes that we need to make, Mr. Robbins believes that we need do three things: Change our state, Change our story (our beliefs), Execute the strategy.
It could be wrong. There’s enough anecdotal evidence to suggest it works. But there is also enough to suggest it fails. Not everyone of Mr. Robbins clients is successful. And the ones that are? Are they just suffering from survivorship bias?
The reason for that preamble (which ironically probably made things more complex to start) is to say this: If we are successful in changing how people think about software security and there is progress made on adaption of software security and software becomes more secure, we are not going to ever be able to prove it was the processes changes we are suggesting. We will only be able to believe that the process changes made a significant role.
Even if you do not believe that we can change how Software Security is managed, that we are able to provide some value for you – either in your software security journey or about psychology and human behavior. We sincerely appreciate you taking the time and welcome all feedback.