Why Wavers Need Accountability

Why Security Wavers Need Accountability

By Roy D. Follendore III

March 16, 2007

As with the general traditional philosophy of security, wavers are seen in the negative sense not the positive. The way that wavers are being treated is fear based. (A waver is a potential pin prick that can pop the theoretical security bubble.) Executives therefore look at wavers as a potential basket of bad eggs instead of assumptions related to technical opportunities that need to be managed. As a result of their fears managers create official and unofficial, intentional, unintentional, wavers and hide them like Easter eggs all over the place, hoping that no one will find them.

Technology eventually becomes layered and so too become all of the forgotten Easter eggs. In the all or nothing perspective of bubble security it should not be surprising when organizations do not have a waver management process. They wrongly assume that there can be no waver management process when a system is completely secure. Wavers take place with or without approval, intentionally and unintentionally, as well as officially and tacitly. Tacitly approving and then hiding wavers by looking the other way, allowing design concerns and then postponing reviews, shifting the responsibility to people who do not have the authority to act upon it, or simply changing the scope and nature of the problem by executive order are all ways of burying technical problems through bureaucracy. This is all well and good for the executive who comes, goes and then retires without a sign of a problem on his shift.

The trouble with this is that machines don’t care how securely, effectively or efficiently they perform and our opposition won’t give up looking. Intuition is a powerful hacking tool. If people are intelligent, experienced and sensitive about human nature they realize that they know where to look for these Easter eggs without knowing much at all about the systems. You can think of this like a form of what I have previously coined “technical profiling’. It was well known in the dark ages that when there are degrees of freedom there are always chinks in armor. These people certainly are not going to tell you about the problems that they find if they are dishonest and if they are honest they are not allowed to and/or don’t want to get involved. Without a legitimate waver management process there can be no defense to wavered gaps and eventually no official recognition that they were ever known.

It is simple as this folks. If you are not tracking your security holes then you can bet that someone else is. If you are an executive or a technical professional and you have read this then you have an obligation to see that that your organization is not or does not continue to bury their head in the sand and call the process security. Wavers, whether they be official or inadvertently incidental or accidental should have accountability.

.