One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 365864 |
| Date de publication | 2017-05-16 13:00:00 (vue: 2017-05-16 13:00:00) |
| Titre | Innovation for the Sake of Innovation |
| Texte |
“Perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.” - Antoine de Exupery
In today’s world, it feels as if innovation has become the curse of many companies. It forces changes, and wheels being reinvented when not needed, out of fear that lack of innovation will be perceived as stagnation.
In addition, innovation for the sake of innovation can lead to security issues. These issues manifest predominantly in one of two ways:
Scope Creep The first is one of scope creep and the introduction of vulnerabilities through hurried and unplanned changes. For example, adding a new set of fields onto a web application at the last minute often results in an over-worked developer hastily cobbling together code to incorporate functionality. This can lead to inadequate testing and vulnerabilities being introduced.
But not all scope creep is rapid. Sometimes functionality is added slowly over time. What starts off life as a simple workflow ends up being a Frankenstein-esque corporate accounting, inventory, and pricing platform running the entire company.
The fundamental problem is that there is little linking of ideas from a brainstorm with reality. Often times things that are 'nice to have' are just that, only nice to have. There’s no need to invest in a shiny box that will add artificial intelligence to your security team, if you don't already have the basics mapped out.
Because we can The second issue which comes about from ‘innovation for the sake of innovation’ is the introduction of features not out of need, but rather because they are available.
The ever-increasing number of smart-devices are a good example of these. Just because it is possible to connect wirelessly to a kettle, a toaster, or a pillow, it doesn’t necessarily mean that it is a good idea.
In security teams, we often see this manifest in many ways. For example, keeping each and every log generated by every device is a good idea for investigations or to rebuild timelines. But is it really necessary for everything? Why not scope out and only store full logs for critical systems and strip away the noise.
Or why build a fraud detection system when the threat of fraud against your business is low.
The user experience Anytime there are new features or functionality added, user experience takes a hit. Even ‘good’ updates require users to learn new menu commands, alter their workflow, or simply having to retrain muscle memory to click on a different part of the screen.
But more so, it can disrupt the natural use of a product or technology. For example, an email client should be an email client. When it morphs into an all-singing-all-dancing CRM with context-aware reminders, and bluetooth enabled functionality, one wonders whether the product is actually an email client at all.
Security is not immune to these problems. Whether these be in-house scripts that evolve into a homegrown SOC, or enabling of additional capabilities - it adds unnecessary complexity and confusion.
The impact of such security changes is amplified when they impact the end user. Password reset policies, multi-factor authentication, phishing exercises, etc. all add to the mental workload of the users.
Technology, and by extension security, shouldn’t need to go through innovation for the sake of innovation. While arguments can be made for the progress such innovation brings, the risks often-times outweigh the pros.
Instead, I propose technology be put on an ‘Atkins diet’ of decluttering. While there are many intricacies to decluttering, they can be broken down into two broad steps:
Simplify When looking at your |
| Notes | |
| Envoyé | Oui |
| Condensat | related 'nice “perfection “what ‘atkins ‘innovation 12th 2017 about accounting actually add added adding addition additional adds against all already alter amplified anti antoine anything anytime application are arguments around artificial ask attained authentication available aware away basics because become been being bloatware bluetooth box brainstorm brings broad broken build business but can capabilities changes cisos clarified clarify click client cobbling code come comes commands companies company complexity confusion connect connectivity consolidating context corporate creating creep critical crm curse customisations dancing decluttering detection developer device devices diet’ different disrupt doesn't doesn’t don don't don’t down each email enabled enabling end ends entire esque etc even ever every everything evolve example excessive exercises experience extension exupery eye factor fear features feels fields finally first focus forces frankenstein fraud from full functionality functions fundamental generated get good got has hastily have have' having here hit homegrown house hurried i’m idea ideas immune impact inadequate includes incorporate increasing innovate innovating innovation innovation’ instead intelligence internet intricacies introduced introduction inventory invest investigations involve issue issues it’s just keeping kettle kind lack last lead learn life like linking little log logs long longer looking low lying made manifest many mapped may maybe mean memory mental menu minute mission more morphs multi muscle natural naturally necessarily necessary need needed network new nice noise not now number off office often once one only onto organisation organise out outweigh over part parts password perceived perfect phishing pillow platform policies portfolio possible predominantly pricing problem problems product products progress propose pros prospect purge put rapid rather reality really rebuild reinvented reminders renewed require reset results retrain right risks running sake scary scope screen scripts second security see segregating sense set shiny should shouldn’t simple simplified simplify simply singing slowly smart soc sometimes sorting stagnation start starts steps: sticking store storiesmaking strip stripped such suffice support system systems take takes team teams technology testing there there’s these things think thought threat through time timelines times toaster today’s together tools towhat true turning two uninstalling unnecessary unplanned updates use user users view vulnerabilities wait wannacryaes want ways ways: web what wheels when whether which why will wirelessly won’t wonders worked workflow workload world would wrong your yourself zones |
| Tags | Guideline |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.