I ran across this the other day and had to save it for later. Now later has arrived.
It makes me feel good to know that I'm not alone. One of the biggest frustrations with my job is that since they didn't have an official security program before I got here security is often an afterthought. Sometimes that means after a project has begun and often it begins after the project has been completed. Similarly to Mathias so far the best I've been able to do is get a few of the PM's on my team and my signature is required on the final paperwork before something goes live. Unfortunately there are a few problems with this.
- The first problem is that after a project has gone from vision to final testing and is ready to deploy the project team and sponsor get a little upset if security tries to put it on hold.
- Often by the time I've found out about a project it is almost too late to ensure proper security is in place.
- One of the most common things that I've run into is the lack of understanding of the need of security. I regularly hear "It's not on the Internet so why does it need security?" or "You have to have a username and password to access the application so it's secure."
I have been working on, and am slowly starting to see some results, getting the rest of the enterprise to think about the need for security early on. We have a major project coming up that has already asked my input and it isn't even slated to begin until 2010 or 2011. That makes a security guy smile. :)
It's never too early to think about security for an application or a project but it's often not the case. Security is still an afterthought in the mind of many and it requires that we not only be prepared to start at the beginning but to also jump in at any point in the process and ensure that security is properly implemented.