Secure Code From the Get-Go

Orange County, Calif., is discovering that, when planned properly, IT security doesn't interfere with the business of government. With the county seat in Santa Ana, the county that's home to Disneyland shows how one organization revisited IT security and business processes, made changes and is reaping benefits. Thanks to a virtualization project driven by the need for server consolidation, developers no longer trade off application development for secure code. "We now enable business processes by creating secure code during the development process rather than tacking it on at the end of the process," says Tony Lucich, division manager of network services for the county, with a population of some 3 million residents. As a result, application development time has been cut by at least one-third, he says. "Security no longer puts us in conflict with the business processes," he says.

Prior to the new virtual environment and a move to a service-oriented architecture, developers from different agencies created their own application environments. "They worked in silos and didn't communicate with one another," Lucich says. Lack of coordination ultimately resulted in actual or potential security breaches.

Security came into conflict with business processes in the county, for example, when a law enforcement agency developing a new case management system wrote the specs, purchased the equipment and prepared to write the code without consulting the central IT organization.

"We found out that the developers, who worked in a silo, didn't separate outside services (i.e., Web services) from inside services(i.e., database services) which meant the application wasn't secure," Lucich says. "A security breach was inevitable."

In the virtual environment, the county created a portal that includes best practices, training videos and tools to assist developers in generating efficient, secure code. The process has been streamlined. "All developers now share a pool of developer workstations from where they can log into the portal and share the same tools," Lucich says. That resulted in quicker prototyping of applications and faster deployments in a more secure environment. "It used to be okay to be on a three-year development cycle; not any more," Lucich says. "With services and applications, we're now on a three-month development cycle."

One of the first recommendations security consultants typically make is to address security up front. Unfortunately, however, only 10 percent to 20 percent of organizations implement security correctly during application development, according to John Pescatore, vice president of Internet security at Gartner, Inc. "The other 80 to 90 percent operate in a reactive mode," he says, fixing holes later—and paying the price.

Don't Go It Alone

Given the inevitability of tradeoffs when it comes to security and business, SAP's Paulus insists only senior managers can decide how to weigh the three interdependent elements—cost, ease of use and security. "Some organizational cultures have upper management make every decision," he says. "Others rely on senior management to develop guidelines that are implemented by lower management."

Either way, getting buy-in and policy guidance from top corporate executives is also critical to finding balance when it comes to security tradeoffs. But that balance can indeed be found—you just have to do your homework.